Multi-access distributed edge security in mobile networks

ABSTRACT

Techniques for providing multi-access distributed edge security in mobile networks (e.g., service provider networks for mobile subscribers, such as for 5G networks) are disclosed. In some embodiments, a system/process/computer program product for multi-access distributed edge security in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting subscription and/or equipment identifier information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the subscription and/or equipment identifier information.

CROSS REFERENCE TO OTHER APPLICATIONS

This application is a continuation of co-pending U.S. patent applicationSer. No. 16/368,759 entitled MULTI-ACCESS DISTRIBUTED EDGE SECURITY INMOBILE NETWORKS filed Mar. 28, 2019, which is a continuation in part ofco-pending U.S. patent application Ser. No. 16/144,143 entitled NETWORKSLICE-BASED SECURITY IN MOBILE NETWORKS filed Sep. 27, 2018, and acontinuation in part of co-pending U.S. patent application Ser. No.16/144,147 entitled SERVICE-BASED SECURITY PER SUBSCRIPTION AND/OREQUIPMENT IDENTIFIERS IN MOBILE NETWORKS filed Sep. 27, 2018, all ofwhich are incorporated herein by reference for all purposes.

BACKGROUND OF THE INVENTION

A firewall generally protects networks from unauthorized access whilepermitting authorized communications to pass through the firewall. Afirewall is typically a device or a set of devices, or software executedon a device, such as a computer, that provides a firewall function fornetwork access. For example, firewalls can be integrated into operatingsystems of devices (e.g., computers, smart phones, or other types ofnetwork communication capable devices). Firewalls can also be integratedinto or executed as software on computer servers, gateways,network/routing devices (e.g., network routers), or data appliances(e.g., security appliances or other types of special purpose devices).

Firewalls typically deny or permit network transmission based on a setof rules. These sets of rules are often referred to as policies. Forexample, a firewall can filter inbound traffic by applying a set ofrules or policies. A firewall can also filter outbound traffic byapplying a set of rules or policies. Firewalls can also be capable ofperforming basic routing functions.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the invention are disclosed in the followingdetailed description and the accompanying drawings.

FIG. 1A is a block diagram of a 5G wireless network with a securityplatform for providing 5G multi-access security in mobile networks inaccordance with some embodiments.

FIG. 1B is a block diagram of a 5G wireless network with a securityplatform for providing 5G multi-edge security in mobile networks inaccordance with some embodiments.

FIG. 1C is a block diagram of a 5G wireless network with a securityplatform for providing a 5G roaming security—home routed scenario inmobile networks in accordance with some embodiments.

FIG. 1D is a block diagram of a 5G wireless network with securityplatforms for providing a 5G roaming security—local breakout scenario inmobile networks in accordance with some embodiments.

FIG. 1E is a block diagram of a 5G wireless network with a securityplatform for providing 5G multi-access distributed edge security inmobile networks in accordance with some embodiments.

FIG. 2A is an example flow of UE-requested PDU session establishment fornon-roaming and roaming with local breakout in a 5G network inaccordance with some embodiments.

FIG. 2B is an example flow of UE-requested PDU session establishment andmodification/update for non-roaming and roaming with local breakout in a5G network in accordance with some embodiments.

FIG. 2C is an example flow of EPS to 5GS idle mode mobility or handoverusing the N26 interface in a 5G network in accordance with someembodiments.

FIG. 2D is an example flow of a mobility procedure from EPS to 5GSwithout using the N26 interface in a 5G network in accordance with someembodiments.

FIG. 2E is an example flow of a handover of a PDU session between 3GPPaccess and non-3GPP access in which the target AMF does not know the SMFresource identifier of the SM context used by the source AMF in a 5Gnetwork in accordance with some embodiments.

FIG. 2F is an example flow of a handover of a PDU session from 3GPPaccess to untrusted non-3GPP access with N3IWF in the HPLMN (home routedroaming) in a 5G network in accordance with some embodiments.

FIG. 2G is an example flow of a handover of an EPS to 5GC-N3IWF in a 5Gnetwork in accordance with some embodiments.

FIG. 2H is an example flow of a handover of an EPC/ePDG to 5GS in a 5Gnetwork in accordance with some embodiments.

FIG. 2I is an example flow of a UE-requested PDU session establishmentfor home routed roaming scenarios in a 5G network in accordance withsome embodiments.

FIG. 2J is an example flow of a UE-requested PDU session establishmentand modification/update for home routed roaming scenarios in a 5Gnetwork in accordance with some embodiments.

FIG. 2K is an example flow of a Protocol Data Unit (PDU) sessionestablishment over an N4 interface between a 5G User Plane Function(UPF) and a 5G Core Control/Signaling Function (SMF) in a 5G network inaccordance with some embodiments.

FIG. 3 is a functional diagram of hardware components of a networkdevice for performing enhanced security for 5G mobile networks forservice providers in accordance with some embodiments.

FIG. 4 is a functional diagram of logical components of a network devicefor performing enhanced security for 5G mobile networks for serviceproviders in accordance with some embodiments.

FIG. 5 is a flow diagram of a process for performing enhanced securityfor 5G networks for service providers in accordance with someembodiments.

FIG. 6 is another flow diagram of a process for performing enhancedsecurity for 5G networks for service providers in accordance with someembodiments.

FIG. 7 is another flow diagram of a process for performing enhancedsecurity for 5G networks for service providers in accordance with someembodiments.

FIG. 8 is another flow diagram of a process for performing enhancedsecurity for 5G networks for service providers in accordance with someembodiments.

FIG. 9 is a screen shot diagram of a snapshot of a Packet ForwardingControl Protocol (PFCP) Session Establishment Request packet capture(pcap) for performing multi-access distributed edge security for 5Gnetworks for service providers in accordance with some embodiments.

FIG. 10 is a flow diagram of a process for performing multi-accessdistributed edge security for 5G networks for service providers inaccordance with some embodiments.

FIG. 11 is another flow diagram of a process for performing multi-accessdistributed edge security for 5G networks for service providers inaccordance with some embodiments.

DETAILED DESCRIPTION

The invention can be implemented in numerous ways, including as aprocess; an apparatus; a system; a composition of matter; a computerprogram product embodied on a computer readable storage medium; and/or aprocessor, such as a processor configured to execute instructions storedon and/or provided by a memory coupled to the processor. In thisspecification, these implementations, or any other form that theinvention may take, may be referred to as techniques. In general, theorder of the steps of disclosed processes may be altered within thescope of the invention. Unless stated otherwise, a component such as aprocessor or a memory described as being configured to perform a taskmay be implemented as a general component that is temporarily configuredto perform the task at a given time or a specific component that ismanufactured to perform the task. As used herein, the term ‘processor’refers to one or more devices, circuits, and/or processing coresconfigured to process data, such as computer program instructions.

A detailed description of one or more embodiments of the invention isprovided below along with accompanying figures that illustrate theprinciples of the invention. The invention is described in connectionwith such embodiments, but the invention is not limited to anyembodiment. The scope of the invention is limited only by the claims andthe invention encompasses numerous alternatives, modifications andequivalents. Numerous specific details are set forth in the followingdescription in order to provide a thorough understanding of theinvention. These details are provided for the purpose of example and theinvention may be practiced according to the claims without some or allof these specific details. For the purpose of clarity, technicalmaterial that is known in the technical fields related to the inventionhas not been described in detail so that the invention is notunnecessarily obscured.

A firewall generally protects networks from unauthorized access whilepermitting authorized communications to pass through the firewall. Afirewall is typically a device, a set of devices, or software executedon a device that provides a firewall function for network access. Forexample, a firewall can be integrated into operating systems of devices(e.g., computers, smart phones, or other types of network communicationcapable devices). A firewall can also be integrated into or executed assoftware applications on various types of devices or security devices,such as computer servers, gateways, network/routing devices (e.g.,network routers), or data appliances (e.g., security appliances or othertypes of special purpose devices).

Firewalls typically deny or permit network transmission based on a setof rules. These sets of rules are often referred to as policies (e.g.,network policies or network security policies). For example, a firewallcan filter inbound traffic by applying a set of rules or policies toprevent unwanted outside traffic from reaching protected devices. Afirewall can also filter outbound traffic by applying a set of rules orpolicies (e.g., allow, block, monitor, notify or log, and/or otheractions can be specified in firewall/security rules or firewall/securitypolicies, which can be triggered based on various criteria, such asdescribed herein). A firewall may also apply anti-virus protection,malware detection/prevention, or intrusion protection by applying a setof rules or policies.

Security devices (e.g., security appliances, security gateways, securityservices, and/or other security devices) can include various securityfunctions (e.g., firewall, anti-malware, intrusion prevention/detection,proxy, and/or other security functions), networking functions (e.g.,routing, Quality of Service (QoS), workload balancing of network relatedresources, and/or other networking functions), and/or other functions.For example, routing functions can be based on source information (e.g.,source IP address and port), destination information (e.g., destinationIP address and port), and protocol information.

A basic packet filtering firewall filters network communication trafficby inspecting individual packets transmitted over a network (e.g.,packet filtering firewalls or first generation firewalls, which arestateless packet filtering firewalls). Stateless packet filteringfirewalls typically inspect the individual packets themselves and applyrules based on the inspected packets (e.g., using a combination of apacket's source and destination address information, protocolinformation, and a port number).

Application firewalls can also perform application layer filtering(e.g., using application layer filtering firewalls or second generationfirewalls, which work on the application level of the TCP/IP stack).Application layer filtering firewalls or application firewalls cangenerally identify certain applications and protocols (e.g., webbrowsing using HyperText Transfer Protocol (HTTP), a Domain Name System(DNS) request, a file transfer using File Transfer Protocol (FTP), andvarious other types of applications and other protocols, such as Telnet,DHCP, TCP, UDP, and TFTP (GSS)). For example, application firewalls canblock unauthorized protocols that attempt to communicate over a standardport (e.g., an unauthorized/out of policy protocol attempting to sneakthrough by using a non-standard port for that protocol can generally beidentified using application firewalls).

Stateful firewalls can also perform stateful-based packet inspection inwhich each packet is examined within the context of a series of packetsassociated with that network transmission's flow of packets/packet flow(e.g., stateful firewalls or third generation firewalls). This firewalltechnique is generally referred to as a stateful packet inspection as itmaintains records of all connections passing through the firewall and isable to determine whether a packet is the start of a new connection, apart of an existing connection, or is an invalid packet. For example,the state of a connection can itself be one of the criteria thattriggers a rule within a policy.

Advanced or next generation firewalls can perform stateless and statefulpacket filtering and application layer filtering as discussed above.Next generation firewalls can also perform additional firewalltechniques. For example, certain newer firewalls sometimes referred toas advanced or next generation firewalls can also identify users andcontent. In particular, certain next generation firewalls are expandingthe list of applications that these firewalls can automatically identifyto thousands of applications. Examples of such next generation firewallsare commercially available from Palo Alto Networks, Inc. (e.g., PaloAlto Networks' PA Series next generation firewalls and Palo AltoNetworks' VM Series virtualized next generation firewalls).

For example, Palo Alto Networks' next generation firewalls enableenterprises and service providers to identify and control applications,users, and content—not just ports, IP addresses, and packets—usingvarious identification technologies, such as the following: App-ID™(e.g., App ID) for accurate application identification, User-ID™ (e.g.,User ID) for user identification (e.g., by user or user group), andContent-ID™ (e.g., Content ID) for real-time content scanning (e.g.,controls web surfing and limits data and file transfers). Theseidentification technologies allow enterprises to securely enableapplication usage using business-relevant concepts, instead of followingthe traditional approach offered by traditional port-blocking firewalls.Also, special purpose hardware for next generation firewallsimplemented, for example, as dedicated appliances generally provideshigher performance levels for application inspection than softwareexecuted on general purpose hardware (e.g., such as security appliancesprovided by Palo Alto Networks, Inc., which utilize dedicated, functionspecific processing that is tightly integrated with a single-passsoftware engine to maximize network throughput while minimizing latencyfor Palo Alto Networks' PA Series next generation firewalls).

Technical and Security Challenges in Today's Mobile Networks for ServiceProviders

In today's service provider network environments, the service providercan typically only implement a static security policy for wirelessdevices communicating over the service provider's wireless network(e.g., the service provider cannot define a security/firewall policy ona per endpoint basis and/or a per flow basis for wireless devicescommunicating over the service provider's wireless network), and anychanges generally require network infrastructure updates.

Thus, technical and security challenges with service provider networksexist for devices in mobile networks. As such, what are needed are newand improved security techniques for devices in such service providernetwork environments (e.g., mobile networks). Specifically, what areneeded are new and improved solutions for monitoring service providernetwork traffic and applying security policies (e.g., firewall policies)for devices communicating on service provider networks.

Overview of Techniques for Network Slice-Based Security in MobileNetworks

Accordingly, techniques for enhanced security platforms (e.g., afirewall (FW)/Next Generation Firewall (NGFW), a network sensor actingon behalf of the firewall, or another device/component that canimplement security policies using the disclosed techniques) withinservice provider network environments are disclosed. Specifically,various system architectures for implementing and various processes forproviding security platforms within service provider networkenvironments that can provide network slice-based security in mobilenetworks for service providers, such as for 5G cellular networks, aredisclosed. More specifically, various system architectures forimplementing and various processes for providing security platformswithin service provider network environments for network slice-basedsecurity in mobile networks for service providers, such as for 5Gcellular networks, are disclosed.

In some embodiments, various techniques are disclosed for applyingnetwork slice-based security that can be applied using a securityplatform by parsing HTTP/2 messages to extract network sliceinformation. For example, in 5G cellular networks, HTTP/2 shall be usedin the service-based interface.

Specifically, HTTP/2 as described in IETF RFC 7540 (e.g., available athttps://tools.ietf.org/html/rfc7540) is a binary protocol that supportsmultiplexing multiple streams over a single connection, headercompression and unrequested push from servers to clients. HTTP/2 willuse TCP as described in IETF RFC 793 (e.g., available athttps://tools.ietf.org/html/rfc793) as the transport protocol. NetworkSlice is a logical network within a Public Land Mobile Network (PLMN)including Core Network Control Plane and User Plane Network Functions,and in serving PLMN at least one of either NG Radio Access Network orNon-3GPP Interworking Function (N3IWF) to the non-3GPP Access Network.

More specifically, Network Slice is identified by Single Network SliceSelection Assistance Information (S-NSSAI). An S-NSSAI is composed of:(1) a Slice/Service type (SST)—It refers to the expected Network Slicebehavior in terms of features and services; and (2) a SliceDifferentiator (SD) (e.g., it is optional information to differentiatebetween multiple Network Slices of the same SST).

Further, S-NSSAI can have standard or non-standard values. StandardizedSST values defined by 3GPP are provided below:

Slice/Service SST type value Characteristics. eMBB 1 Slice suitable forthe handling of 5G enhanced Mobile Broadband. URLLC 2 Slice suitable forthe handling of ultra- reliable low latency communications. MIoT 3 Slicesuitable for the handling of massive IoT.

In some embodiments, based on the security platform deployment topologyin a given 5G network, S-NSSAI information can be extracted using one ormore of two options, which are further described below. As a firstoption, the security platform extracts S-NSSAI information from the datatype ‘SmContextCreateData’ (e.g., defined in 3GPP TS 29.502 available athttps://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3340)in the payload of an HTTP/2 POST request sent from the NF ServiceConsumer to the Session Management Function (SMF) during a ‘Create SMContext Request’ service operation. The ‘Create SM Context Request’service operation (e.g., defined in 3GPP TS 29.502) shall be used in thefollowing example procedures to create an individual Session Management(SM) context, for a given Protocol Data Unit (PDU) session, in the SMF,or in the V-SMF for Home Routed (HR) roaming scenarios: (1) UE requestedPDU Session Establishment; (2) Evolved Packet System (EPS) to 5G System(5GS) idle mode mobility or handover using N26 interface; (3) EPS 5GSmobility without N26 interface; (4) Handover of a PDU session between3GPP access and non-3GPP access in certain scenarios; (5) Handover fromEPS to 5GC-N3IWF (Non-3GPP Interworking Function); and (6) Handover fromEPC/ePDG (evolved packet data gateway) to 5GS.

As a second option, the security platform extracts S-NSSAI informationfrom data type ‘PduSessionCreateData’ (e.g., defined in 3GPP TS 29.502)in the payload of an HTTP/2 POST request sent from the NF ServiceConsumer to then H-SMF during the Create service operation. The Createservice operation (e.g., defined in 3GPP TS 29.502) shall be used in thefollowing example procedures to create an individual PDU session in theH-SMF for HR roaming scenarios: (1) UE requested PDU SessionEstablishment; (2) EPS to 5GS idle mode mobility or handover using N26interface; (3) EPS 5GS mobility without N26 interface; (4) Handover of aPDU session between 3GPP access and non-3GPP access in certainscenarios; (5) Handover from EPS to 5GC-N3IWF; and (6) Handover fromEPC/ePDG to 5GS.

In some embodiments, a system/process/computer program product forproviding network slice-based security in mobile networks includes usinga Network Slice Identifier (S-NSSAI) to apply security for a customerwith multiple subscribers, mobile subscribers and subscriber's devices,such as further described below with respect to various embodiments andexamples.

In one embodiment, a system/process/computer program product forproviding network slice-based security in mobile networks includesproviding security for a customer with multiple subscribers, mobilesubscribers and subscriber's devices is performed using a securitypolicy implemented by a security platform that can be applied perS-NSSAI in 5G networks.

In one embodiment, a system/process/computer program product forproviding network slice-based security in mobile networks includesproviding threat detection for a customer with multiple subscribers,mobile subscribers and subscriber's devices is performed using asecurity policy implemented by a security platform that can be appliedper S-NSSAI in 5G networks.

In one embodiment, a system/process/computer program product forproviding network slice-based security in mobile networks includesproviding threat prevention for a customer with multiple subscribers,mobile subscribers and subscriber's devices is performed using asecurity policy implemented by a security platform that can be appliedper S-NSSAI in 5G networks.

In one embodiment, a system/process/computer program product forproviding network slice-based security in mobile networks includes usinga Network Slice Identifier (S-NSSAI) to apply Uniform Resource Locator(URL) filtering for a customer with multiple subscribers, mobilesubscribers and subscriber's devices is performed using a securitypolicy implemented by a security platform that can be applied perS-NSSAI in 5G networks.

In one embodiment, a system/process/computer program product forproviding network slice-based security in mobile networks includesproviding security for a customer with multiple subscribers, mobilesubscribers and subscriber's devices is performed using a securitypolicy implemented by a security platform that can be applied per SST in5G networks.

In one embodiment, a system/process/computer program product forproviding network slice-based security in mobile networks includesproviding threat detection for a customer with multiple subscribers,mobile subscribers and subscriber's devices is performed using asecurity policy implemented by a security platform that can be appliedper SST in 5G networks.

In one embodiment, a system/process/computer program product forproviding network slice-based security in mobile networks includesproviding threat prevention for a customer with multiple subscribers,mobile subscribers and subscriber's devices is performed using asecurity policy implemented by a security platform that can be appliedper SST in 5G networks.

For example, the disclosed techniques can allow 5G converged operatorsto provide Network slice-based security to any customer with multiplesubscribers, users and/or Internet of Things (IoT) devices (e.g.,Cellular IoT (CIoT) devices) who connect to their network using 5G radioaccess technology and handover from/to 5G to non-5G access technologies.

Example new and enhanced security services for mobile networks (e.g.,for converged mobile network operators/service providers) that can beprovided using the disclosed techniques include one or more of thefollowing: (1) Network Slice-based firewall service; (2) NetworkSlice-based basic threat detection service for known threats; (3)Network Slice-based advanced threat detection service for unknownthreats; (4) Network Slice-based basic threat prevention service forknown threats; (5) Network Slice-based advanced threat preventionservice for unknown threats; (6) Network Slice-based URL filteringservice; (7) Network Slice-based application DoS detection service; (8)Network Slice-based application DoS prevention service; and (9) URLFiltering in NGFW could be done per SST in 5G networks.

These and other embodiments and examples for providing networkslice-based security in mobile networks will be further described below.

Overview of Techniques for Service-Based Security Per Subscriptionand/or Equipment Identifiers in Mobile Networks for Service Providers

Service-Based Security Per Subscription Permanent Identifier (SUPI)

Accordingly, techniques for enhanced security platforms (e.g., afirewall (FW)/Next Generation Firewall (NGFW), a network sensor actingon behalf of the firewall, or another device/component that canimplement security policies using the disclosed techniques) withinservice provider network environments are disclosed. Specifically,various system architectures for implementing and various processes forproviding security platforms within service provider networkenvironments that can provide service-based security in mobile networksfor service providers, such as for 5G cellular networks, are disclosed.More specifically, various system architectures for implementing andvarious processes for providing security platforms within serviceprovider network environments for service-based security that can beapplied using a security platform by parsing HTTP/2 messages to extractthe Subscription Permanent Identifier (SUPI) information in mobilenetworks for service providers, such as for 5G cellular networks, aredisclosed.

In some embodiments, various techniques are disclosed for applyingservice-based security per Subscription Permanent Identifier (SUPI) thatcan be applied using a security platform by parsing HTTP/2 messages toextract SUPI information. For example, in 5G cellular networks, HTTP/2shall be used in the service-based interface.

Specifically, HTTP/2 shall be used in the service-based interface.HTTP/2 as described in IETF RFC 7540 is a binary protocol which supportsmultiplexing multiple streams over a single connection, headercompression and unrequested push from servers to clients. HTTP/2 willuse TCP as described in IETF RFC 793 as the transport protocol.

More specifically, SUPI is a globally unique 5G subscription identifierwhich shall be allocated to each subscriber in the 5G system andprovisioned in the Universal Data Management (UDM)/Universal DataRepository (UDR). The SUPI is used inside the 3GPP system. The SUPI mayinclude the following information: (1) an IMSI as defined in 3GPP TS23.003 available athttps://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=729,or (2) a network-specific identifier, used for private networks asdefined in 3GPP TS 23.003 available athttps://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=729.In some cases, a SUPI can take the form of a Network Access Identifier(NAI) using the NAI RFC 7542 based user identification as defined in3GPP TS 23.003, for either IMSI based or non-IMSI based (e.g., when usedover a non-3GPP Access Technology or for private networks) NAI. Forinterworking with the Evolved Packet Core (EPC), the SUPI allocated tothe 3GPP User Equipment (UE) shall always be based on an IMSI to enablethe UE to present an IMSI to the EPC.

In some embodiments, based on the security platform deployment topologyin the 5G network, SUPI information can be extracted using the followingtwo options. As a first option, a security platform extracts SUPIinformation from the data type SmContextCreateData′ (e.g., defined in3GPP TS 29.502) in the payload of the HTTP/2 POST request sent from anNF Service Consumer to Session Management Function (SMF) during the‘Create SM Context Request’ service operation. For example, the ‘CreateSM Context Request’ service operation (e.g., defined in 3GPP TS 29.502)shall be used in the following procedures to create an individualSession Management (SM) context, for a given Protocol Data Unit (PDU)session, in the SMF, or in the V-SMF for Home Routed (HR) roamingscenarios: (1) UE requested PDU Session Establishment; (2) EvolvedPacket System (EPS) to 5G System (5GS) idle mode mobility or handoverusing N26 interface; (3) EPS 5GS mobility without N26 interface; (4)Handover of a PDU session between 3GPP access and non-3GPP access inCertain scenarios; (5) Handover from EPS to 5GC-N3IWF (Non-3GPPInterworking Function); and (6) Handover from EPC/ePDG (evolved packetdata gateway) to 5GS, which are each further discussed below.

As a second option, a security platform extracts SUPI information fromdata type ‘PduSessionCreateData’ (e.g., defined in 3GPP TS 29.502) inthe payload of the HTTP/2 POST request sent from the NF Service Consumerto the H-SMF during the Create service operation. The Create serviceoperation (e.g., defined in 3GPP TS 29.502) shall be used in thefollowing procedures to create an individual PDU session in the H-SMFfor HR roaming scenarios: (1) UE requested PDU Session Establishment;(2) EPS to 5GS idle mode mobility or handover using N26 interface; (3)EPS 5GS mobility without N26 interface; (4) Handover of a PDU sessionbetween 3GPP access and non-3GPP access in certain scenarios; (5)Handover from EPS to 5GC-N3IWF; and (6) Handover from EPC/ePDG to 5GS,which are each further discussed below.

In some embodiments, a system/process/computer program product forproviding service-based security per Subscription Permanent Identifier(SUPI) in mobile networks includes providing security for mobilesubscribers and subscriber's devices and is performed using a securitypolicy that can be applied using a security platform by parsing HTTP/2messages to extract SUPI information in 5G networks.

Example new and enhanced security services for mobile networks (e.g.,for converged mobile network operators/service providers) that can beprovided using the disclosed techniques include one or more of thefollowing: (1) security policies that can be applied per SUPIinformation for a SUPI-based firewall service; (2) SUPI-based threatdetection service for known threats; (3) SUPI-based advanced threatdetection service for unknown threats; (4) SUPI-based basic threatprevention service for known threats; (5) SUPI-based advanced threatprevention service for unknown threats; (6) SUPI-based URL filteringservice; (7) SUPI-based application DoS detection service; and (8)SUPI-based application DoS prevention service.

Service-Based Security Per Permanent Equipment Identifier (PEI)

Accordingly, techniques for enhanced security platforms (e.g., afirewall (FW)/Next Generation Firewall (NGFW), a network sensor actingon behalf of the firewall, or another device/component that canimplement security policies using the disclosed techniques) withinservice provider network environments are disclosed. Specifically,various system architectures for implementing and various processes forproviding security platforms within service provider networkenvironments that can provide service-based security in mobile networksfor service providers, such as for 5G cellular networks, are disclosed.More specifically, various system architectures for implementing andvarious processes for providing security platforms within serviceprovider network environments for service-based security that can beapplied using a security platform by parsing HTTP/2 messages to extractthe Permanent Equipment Identifier (PEI) information in mobile networksfor service providers, such as for 5G cellular networks, are disclosed.

In some embodiments, various techniques are disclosed for applyingservice-based security per Permanent Equipment Identifier (PEI) that canbe applied using a security platform by parsing HTTP/2 messages toextract PEI information. For example, in 5G cellular networks, HTTP/2shall be used in the service-based interface.

Specifically, HTTP/2 shall be used in the service-based interface.HTTP/2 as described in IETF RFC 7540 is a binary protocol which supportsmultiplexing multiple streams over a single connection, headercompression and unrequested push from servers to clients. HTTP/2 willuse TCP as described in IETF RFC 793 as the transport protocol.

More specifically, PEI is a permanent equipment identifier defined forthe 3GPP UE accessing the 5G System. The PEI can assume differentformats for different UE types and use cases. The UE shall share the PEIto the network along with an indication of the PEI format being used. Ifthe UE supports at least one 3GPP access technology, then the UE isallocated a PEI in the International Mobile Equipment Identifier (IMEI)format. For example, the PEI can include the following information: anIMEI or IMEISV as defined in 3GPP TS 23.003 available athttps://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=729.

In some embodiments, based on the security platform deployment topologyin a 5G network, PEI information can be extracted using the followingtwo options. As a first option, the security platform extracts PEIinformation from data type ‘SmContextCreateData’ (e.g., defined in 3GPPTS 29.502) in the payload of the HTTP/2 POST request sent from the NFService Consumer to the Session Management Function (SMF) during the‘Create SM Context Request’ service operation. The ‘Create SM ContextRequest’ service operation (e.g., defined in 3GPP TS 29.502) shall beused in the following procedures to create an individual SessionManagement (SM) context, for a given Protocol Data Unit (PDU) session,in the SMF, or in the V-SMF for Home Routed (HR) roaming scenarios: (1)UE requested PDU Session Establishment; (2) Evolved Packet System (EPS)to 5G System (5GS) idle mode mobility or handover using N26 interface;(3) EPS 5GS mobility without N26 interface; (4) Handover of a PDUsession between 3GPP access and non-3GPP access in certain scenarios;(5) Handover from EPS to 5GC-N3IWF (Non-3GPP Interworking Function); and(6) Handover from EPC/ePDG (evolved packet data gateway) to 5GS, whichare each further discussed below.

As a second option, the security platform extracts PEI information fromdata type ‘PduSessionCreateData’ (e.g., defined in 3GPP TS 29.502) inthe payload of the HTTP/2 POST request sent from the NF Service Consumerto the H-SMF during the Create service operation. The Create serviceoperation (e.g., defined in 3GPP TS 29.502) shall be used in thefollowing procedures to create an individual PDU session in the H-SMFfor HR roaming scenarios: (1) UE requested PDU Session Establishment;(2) EPS to 5GS idle mode mobility or handover using N26 interface; (3)EPS 5GS mobility without N26 interface; (4) Handover of a PDU sessionbetween 3GPP access and non-3GPP access in certain scenarios; (5)Handover from EPS to 5GC-N3IWF; and (6) Handover from EPC/ePDG to 5GS,which are each further discussed below.

In some embodiments, a system/process/computer program product forproviding service-based security per Permanent Equipment Identifier(PEI) in mobile networks includes providing security for mobilesubscribers and subscriber's devices and is performed using a securitypolicy that can be applied using a security platform by parsing HTTP/2messages to extract PEI information in 5G networks.

Example new and enhanced security services for mobile networks (e.g.,for converged mobile network operators/service providers) that can beprovided using the disclosed techniques include one or more of thefollowing: (1) security policies that can be applied per PEI informationfor a PEI-based firewall service; (2) PEI-based threat detection servicefor known threats; (3) PEI-based advanced threat detection service forunknown threats; (4) PEI-based basic threat prevention service for knownthreats; (5) PEI-based advanced threat prevention service for unknownthreats; (6) PEI-based URL filtering service; (7) PEI-based applicationDoS detection service; and (8) PEI-based application DoS preventionservice.

Service-Based Security Per General Public Subscription Identifier (GPSI)

Accordingly, techniques for enhanced security platforms (e.g., afirewall (FW)/Next Generation Firewall (NGFW), a network sensor actingon behalf of the firewall, or another device/component that canimplement security policies using the disclosed techniques) withinservice provider network environments are disclosed. Specifically,various system architectures for implementing and various processes forproviding security platforms within service provider networkenvironments that can provide service-based security in mobile networksfor service providers, such as for 5G cellular networks, are disclosed.More specifically, various system architectures for implementing andvarious processes for providing security platforms within serviceprovider network environments for service-based security that can beapplied using a security platform by parsing HTTP/2 messages to extractthe General Public Subscription Identifier (GPSI) information in mobilenetworks for service providers, such as for 5G cellular networks, aredisclosed.

In some embodiments, various techniques are disclosed for applyingservice-based security per General Public Subscription Identifier (GPSI)that can be applied using a security platform by parsing HTTP/2 messagesto extract GPSI information. For example, in 5G cellular networks,HTTP/2 shall be used in the service-based interface.

Specifically, HTTP/2 shall be used in the service-based interface.HTTP/2 as described in IETF RFC 7540 is a binary protocol which supportsmultiplexing multiple streams over a single connection, headercompression and unrequested push from servers to clients. HTTP/2 willuse TCP as described in IETF RFC 793 as the transport protocol.

More specifically, GPSI is used for addressing a 3GPP subscription indifferent data networks outside of the 3GPP system. The 3GPP systemstores within the subscription data the association between the GPSI andthe corresponding SUPI. GPSIs are public identifiers used both insideand outside of the 3GPP system. The GPSI is either an MSISDN or anExternal Identifier (e.g., defined in TS 23.003). If the MSISDN isincluded in the subscription data, it shall be possible that the sameMSISDN value is supported in both 5GS and EPS.

In some embodiments, based on the security platform deployment topologyin a 5G network, GPSI information can be extracted using the followingtwo options. As a first option, the security platform extracts GPSIinformation from data type SmContextCreateData′ (e.g., defined in 3GPPTS 29.502) in the payload of the HTTP/2 POST request sent from an NFService Consumer to Session Management Function (SMF) during the ‘CreateSM Context Request’ service operation. The ‘Create SM Context Request’service operation (e.g., defined in 3GPP TS 29.502) shall be used in thefollowing procedures to create an individual Session Management (SM)context, for a given Protocol Data Unit (PDU) session, in the SMF, or inthe V-SMF for Home Routed (HR) roaming scenarios: (1) UE requested PDUSession Establishment; (2) Evolved Packet System (EPS) to 5G System(5GS) idle mode mobility or handover using N26 interface; (3) EPS 5GSmobility without N26 interface; (4) Handover of a PDU session between3GPP access and non-3GPP access in certain scenarios; (5) Handover fromEPS to 5GC-N3IWF (Non-3GPP Interworking Function); and (6) Handover fromEPC/ePDG (evolved packet data gateway) to 5GS, which are each furtherdiscussed below.

As a second option, the security platform extracts GPSI information fromdata type ‘PduSessionCreateData’ (e.g., defined in 3GPP TS 29.502) inthe payload of the HTTP/2 POST request sent from an NF Service Consumerto H-SMF during the Create service operation. The Create serviceoperation (e.g., defined in 3GPP TS 29.502) shall be used in thefollowing procedures to create an individual PDU session in the H-SMFfor HR roaming scenarios: (1) UE requested PDU Session Establishment;(2) EPS to 5GS idle mode mobility or handover using N26 interface; (3)EPS 5GS mobility without N26 interface; (4) Handover of a PDU sessionbetween 3GPP access and non-3GPP access in certain scenarios; (5)Handover from EPS to 5GC-N3IWF; and (6) Handover from EPC/ePDG to 5GS,which are each further discussed below.

In some embodiments, a system/process/computer program product forproviding service-based security per General Public SubscriptionIdentifier (GPSI) in mobile networks includes providing security formobile subscribers and subscriber's devices and is performed using asecurity policy that can be applied using a security platform by parsingHTTP/2 messages to extract GPSI information in 5G networks.

Example new and enhanced security services for mobile networks (e.g.,for converged mobile network operators/service providers) that can beprovided using the disclosed techniques include one or more of thefollowing: (1) security policies that can be applied per GPSIinformation for a GPSI-based firewall service; (2) GPSI-based threatdetection service for known threats; (3) GPSI-based advanced threatdetection service for unknown threats; (4) GPSI-based basic threatprevention service for known threats; (5) GPSI-based advanced threatprevention service for unknown threats; (6) GPSI-based URL filteringservice; (7) GPSI-based application DoS detection service; and (8)GPSI-based application DoS prevention service.

These and other embodiments and examples for providing service-basedsecurity per subscription and/or equipment identifiers in mobilenetworks will be further described below.

Overview of Techniques for Service-Based Security Per Data Network Namein Mobile Networks for Service Providers

Accordingly, techniques for enhanced security platforms (e.g., afirewall (FW)/Next Generation Firewall (NGFW), a network sensor actingon behalf of the firewall, or another device/component that canimplement security policies using the disclosed techniques) withinservice provider network environments are disclosed. Specifically,various system architectures for implementing and various processes forproviding security platforms within service provider networkenvironments that can provide service-based security in mobile networksfor service providers, such as for 5G cellular networks, are disclosed.More specifically, various system architectures for implementing andvarious processes for providing security platforms within serviceprovider network environments for service-based security that can beapplied using a security platform by parsing HTTP/2 messages to extractthe Data Network Name (DNN) information in mobile networks for serviceproviders, such as for 5G cellular networks, are disclosed.

In some embodiments, various techniques are disclosed for applyingservice-based security per Data Network Name (DNN) that can be appliedusing a security platform by parsing HTTP/2 messages to extract DNNinformation. For example, in 5G cellular networks, HTTP/2 shall be usedin the service-based interface.

Specifically, HTTP/2 shall be used in the service-based interface.HTTP/2 as described in IETF RFC 7540 is a binary protocol which supportsmultiplexing multiple streams over a single connection, headercompression and unrequested push from servers to clients. HTTP/2 willuse TCP as described in IETF RFC 793 as the transport protocol.

More specifically, DNN is equivalent to an Access Point Name (APN) asdefined in TS 23.003 available athttps://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=729.Both identifiers have an equivalent meaning and carry the sameinformation. For example, the DNN may be used to: (1) select an SMF andUPF(s) for a PDU Session; or (2) determine policies to apply to this PDUSession.

In some embodiments, based on the security platform deployment topologyin a 5G network, DNN information can be extracted using the followingtwo options. As a first option, the security platform extracts DNNinformation from data type ‘SmContextCreateData’ (e.g., defined in 3GPPTS 29.502) in the payload of the HTTP/2 POST request sent from the NFService Consumer to the Session Management Function (SMF) during the‘Create SM Context Request’ service operation. The ‘Create SM ContextRequest’ service operation (e.g., defined in 3GPP TS 29.502) shall beused in the following procedures to create an individual SessionManagement (SM) context, for a given Protocol Data Unit (PDU) session,in the SMF, or in the V-SMF for Home Routed (HR) roaming scenarios: (1)UE requested PDU Session Establishment; (2) Evolved Packet System (EPS)to 5G System (5GS) idle mode mobility or handover using N26 interface;(3) EPS 5GS mobility without N26 interface; (4) Handover of a PDUsession between 3GPP access and non-3GPP access in certain scenarios;(5) Handover from EPS to 5GC-N3IWF (Non-3GPP Interworking Function); and(6) Handover from EPC/ePDG (evolved packet data gateway) to 5GS, whichare each further discussed below.

As a second option, the security platform extracts DNN information fromdata type ‘PduSessionCreateData’ (e.g., defined in 3GPP TS 29.502) inthe payload of the HTTP/2 POST request sent from the NF Service Consumerto the H-SMF during the Create service operation. The Create serviceoperation (e.g., defined in 3GPP TS 29.502) shall be used in thefollowing procedures to create an individual PDU session in the H-SMFfor HR roaming scenarios: (1) UE requested PDU Session Establishment;(2) EPS to 5GS idle mode mobility or handover using N26 interface; (3)EPS 5GS mobility without N26 interface; (4) Handover of a PDU sessionbetween 3GPP access and non-3GPP access in certain scenarios; (5)Handover from EPS to 5GC-N3IWF; and (6) Handover from EPC/ePDG to 5GS,which are each further discussed below.

In some embodiments, a system/process/computer program product forproviding service-based security per Data Network Name (DNN) in mobilenetworks includes providing security for mobile subscribers andsubscriber's devices and is performed using a security policy that canbe applied using a security platform by parsing HTTP/2 messages toextract DNN information in 5G networks.

Example new and enhanced security services for mobile networks (e.g.,for converged mobile network operators/service providers) that can beprovided using the disclosed techniques include one or more of thefollowing: (1) security policies that can be applied per DNN informationfor a DNN-based firewall service; (2) DNN-based threat detection servicefor known threats; (3) DNN-based advanced threat detection service forunknown threats; (4) DNN-based basic threat prevention service for knownthreats; (5) DNN-based advanced threat prevention service for unknownthreats; (6) DNN-based URL filtering service; (7) DNN-based applicationDoS detection service; and (8) DNN-based application DoS preventionservice.

These and other embodiments and examples for providing service-basedsecurity per network name in mobile networks will be further describedbelow.

Overview of Techniques for Security for Service-Based Security Per UserLocation in Mobile Networks for Service Providers

Accordingly, techniques for enhanced security platforms (e.g., afirewall (FW)/Next Generation Firewall (NGFW), a network sensor actingon behalf of the firewall, or another device/component that canimplement security policies using the disclosed techniques) withinservice provider network environments are disclosed. Specifically,various system architectures for implementing and various processes forproviding security platforms within service provider networkenvironments that can provide service-based security in mobile networksfor service providers, such as for 5G cellular networks, are disclosed.More specifically, various system architectures for implementing andvarious processes for providing security platforms within serviceprovider network environments for service-based security that can beapplied using a security platform by parsing HTTP/2 messages to extractthe User Location information in mobile networks for service providers,such as for 5G cellular networks, are disclosed.

In some embodiments, various techniques are disclosed for applyingservice-based security per User Location that can be applied using asecurity platform by parsing HTTP/2 messages to extract User Locationinformation. For example, in 5G cellular networks, HTTP/2 shall be usedin the service-based interface.

Specifically, HTTP/2 shall be used in the service-based interface.HTTP/2 as described in IETF RFC 7540 is a binary protocol which supportsmultiplexing multiple streams over a single connection, headercompression and unrequested push from servers to clients. HTTP/2 willuse TCP as described in IETF RFC 793 as the transport protocol.

More specifically, User Location is defined as EutraLocation,NRLocation, and N3gaLocation as per 3GPP T.S 29.571 available athttps://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3347.For example, at least one of them shall be present in User Location. Insome cases, several of them may be present, such as shown in the belowexamples.

-   -   EutraLocation=Tracking Area Identity (TAI)+ECGI (EUTRA Cell        Identity)    -   NRLocation=TAI+NR Cell Identity (NCGI)    -   N3gaLocation—IPv4Addr, IPv6Addr, Uinteger    -   TAI=PLMN Identity (Plmnld)+Tracking Area Code (TAC)    -   ECGI=Plmnld+EUTRA Cell Identity (EutrCellld)    -   NCGI=Plmnld+NR Cell Identity (NrCellId)

In some embodiments, based on the security platform deployment topologyin a 5G network, User Location information can be extracted using thefollowing two options. As a first option, the security platform extractsUser Location information from data type SmContextCreateData′ (e.g.,defined in 3GPP TS 29.502) in the payload of the HTTP/2 POST requestsent from the NF Service Consumer to the Session Management Function(SMF) during the ‘Create SM Context Request’ service operation. The‘Create SM Context Request’ service operation (e.g., defined in 3GPP TS29.502) shall be used in the following procedures to create anindividual Session Management (SM) context, for a given Protocol DataUnit (PDU) session, in the SMF, or in the V-SMF for Home Routed (HR)roaming scenarios: (1) UE requested PDU Session Establishment; (2)Evolved Packet System (EPS) to 5G System (5GS) idle mode mobility orhandover using N26 interface; (3) EPS 5GS mobility without N26interface; (4) Handover of a PDU session between 3GPP access andnon-3GPP access in certain scenarios; (5) Handover from EPS to 5GC-N3IWF(Non-3GPP Interworking Function); and (6) Handover from EPC/ePDG(evolved packet data gateway) to 5GS, which are each further discussedbelow.

As a second option, the security platform extracts User Locationinformation from data type ‘PduSessionCreateData’ (e.g., defined in 3GPPTS 29.502) in the payload of the HTTP/2 POST request sent from the NFService Consumer to the H-SMF during the Create service operation. TheCreate service operation (e.g., defined in 3GPP TS 29.502) shall be usedin the following procedures to create an individual PDU session in theH-SMF for HR roaming scenarios: (1) UE requested PDU SessionEstablishment; (2) EPS to 5GS idle mode mobility or handover using N26interface; (3) EPS 5GS mobility without N26 interface; (4) Handover of aPDU session between 3GPP access and non-3GPP access in certainscenarios; (5) Handover from EPS to 5GC-N3IWF; and (6) Handover fromEPC/ePDG to 5GS, which are each further discussed below.

In some embodiments, a system/process/computer program product forproviding service-based security per User Location in mobile networksincludes providing security for mobile subscribers and subscriber'sdevices and is performed using a security policy that can be appliedusing a security platform by parsing HTTP/2 messages to extract UserLocation information in 5G networks.

Example new and enhanced security services for mobile networks (e.g.,for converged mobile network operators/service providers) that can beprovided using the disclosed techniques include one or more of thefollowing: (1) security policies that can be applied per User Location(e.g., EutraLocation or NRLocation) information for a UserLocation-based firewall service; (2) threat detection service for knownthreats performed per User Location (e.g., EutraLocation or NRLocation);(3) advanced threat detection service for unknown threats performed perUser Location (e.g., EutraLocation or NRLocation); (4) basic threatprevention service for known threats performed per User Location (e.g.,EutraLocation or NRLocation); (5) advanced threat prevention service forunknown threats performed per User Location (e.g., EutraLocation orNRLocation); (6) URL filtering service performed per User Location(e.g., EutraLocation or NRLocation); (7) DoS detection service performedper User Location (e.g., EutraLocation or NRLocation); and (8)application DoS prevention service performed per User Location (e.g.,EutraLocation or NRLocation).

These and other embodiments and examples for providing service-basedsecurity per user location in mobile networks will be further describedbelow.

Overview of Techniques for Multi-Access Distributed Edge Security inMobile Networks

In 5G mobile networks (e.g., 5G networks), Multi-access Edge Computing(MEC) can be utilized to lower latency for advanced premium services,such as hosting applications, Internet of Things (IoT) data analytics(e.g., using MEC as an aggregating point for IoT data), and/or otherservices. However, given that control planes and user planes areseparate in 5G networks, it is technically difficult to apply persubscriber and device level security on MEC sites with the same securityplatform.

Thus, technical and security challenges with service provider networksexist for multi-access distributed edge security in mobile networks. Assuch, what are needed are new and improved security techniques formulti-access distributed edge security in such service provider networkenvironments (e.g., 5G mobile networks). Specifically, what are neededare new and improved solutions for monitoring service provider networktraffic and applying security policies (e.g., firewall policies) formulti-access distributed edge security in service provider networks.

Techniques for providing multi-access distributed edge security inmobile networks (e.g., service provider networks for mobile subscribers,such as for 5G networks) are disclosed. In some embodiments, asystem/process/computer program product for multi-access distributededge security in mobile networks in accordance with some embodimentsincludes monitoring network traffic on a service provider network at asecurity platform to identify a new session, wherein the serviceprovider network includes a 5G network or a converged 5G network;extracting subscription and/or equipment identifier information for usertraffic associated with the new session at the security platform; anddetermining a security policy to apply at the security platform to thenew session based on the subscription and/or equipment identifierinformation.

For example, mobile operators generally view multi-access edge computing(MEC) in 5G mobile networks as advantageous to facilitate lower latencyfor their advanced premium services, such as hosting applications,Internet of Things (IoT) data analytics (e.g., using MEC as anaggregating point for IoT data), and/or other services. Many mobileoperators are planning to host third-party 5G applications at edgecomputing sites (e.g., edge sites) within their 5G networks along withtheir own services.

Generally, MEC and control plane/user plane separation can facilitatemore distribution in 5G networks. For example, a few dozen core sites ofa TIER 1 mobile operator in the United States may convert to a few dozencore sites plus 100's to 1000's of distributed local MEC sites in adeployed 5G network.

Accordingly, techniques for enhanced security platforms (e.g., afirewall (FW)/Next Generation Firewall (NGFW), a network sensor actingon behalf of the firewall, or another device/component that canimplement security policies using the disclosed techniques) withinservice provider network environments for providing multi-accessdistributed edge security in mobile networks (e.g., service providernetworks for mobile subscribers, such as for 5G networks) are disclosed.Specifically, various system architectures for implementing and variousprocesses for providing security platforms within service providernetwork environments that can provide multi-access distributed edgesecurity in mobile networks for service providers are disclosed. Morespecifically, various system architectures for implementing and variousprocesses for providing security platforms within service providernetwork environments for providing multi-access distributed edgesecurity in mobile networks for service providers are disclosed.

In some embodiments, based on a security platform deployment topology ina given 5G network, 5G MEC security is performed using a securityplatform in a 5G technology-based mobile network (e.g., using one ormore security platforms deployed in various locations to monitor, forexample, an N4 interface in the 5G network, such as further describedbelow with respect to FIG. 1E). The security platform parses PacketForwarding Control Protocol (PFCP) messages over an N4 interface betweena Session Management Function (SMF) component/element and a User PlaneFunction (UPF) component/element. The security platform is configured toextract, for example, subscription related information and/or equipmentidentifier related information from the parsed PFCP messages. Asspecified in the 5G standard/specifications, PFCP messages are used onthe interface between the control plane and the user plane functions in5G networks (e.g., as specified in 3GPP TS 29.244 V15.3 available athttps://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3111).

In an example implementation, based on the security platform deploymenttopology in the multi-access distributed edge 5G network, thesubscription and equipment identifiers can be extracted as furtherdescribed below. A PFCP Session Establishment Request is sent over an N4interface by the control plane (CP) function (e.g., 5G corecontrol/signaling function, such as shown in FIG. 1E) to establish a newPFCP session context in a user plane (UP) function (UPF) (e.g., 5G userplane function, such as shown in FIG. 1E). This message can includeoptional information element (IE) ‘user ID’ (e.g., the ‘user ID’ IE canbe included in an N4 session establishment request, such as shown inFIG. 2K), which may be present based on an operator policy (e.g., andbased on the 3GPP TS 29.244 V15.3 specification, it shall be only sentif the UP function is located in a trusted environment). The ‘user ID’IE can include the following information/parameters: InternationalMobile Subscription Identity (IMSI) (e.g., IMSI is unique not more than15 digits which shall be allocated to each mobile subscriber asspecified in 3GPP TS 23.003), International Mobile Equipment Identifier(IMEI) (e.g., IMEI is a 15 or 16 digit unique equipment identity asspecified in 3GPP TS 23.003), Mobile Subscriber ISDN (MSISDN) (e.g.,MSISDN is specified in 3GPP TS 23.003), and/or Network Access Identifier(NAI) (e.g., NAI is the user identity submitted by the client duringnetwork access authentication, and for roaming, the NAI can be toidentify the user as well as to assist in the routing of theauthentication request, and it is also used for private networks asspecified in 3GPP TS 23.003).

In one embodiment, the security platform parses Packet ForwardingControl Protocol (PFCP) Session Establishment Request and PFCP SessionEstablishment Response messages to extract the subscription and/orequipment identifier information, and wherein the subscription and/orequipment identifier information is identified by an InternationalMobile Subscription Identity (IMSI), International Mobile EquipmentIdentifier (IMEI), and/or Mobile Subscriber ISDN (MSISDN) relatedinformation.

In one embodiment, a system/process/computer program product forproviding multi-access distributed edge security in mobile networksfurther includes blocking the new session from accessing a resourcebased on the security policy.

In one embodiment, a system/process/computer program product forproviding multi-access distributed edge security in mobile networksincludes monitoring network traffic on a service provider network at asecurity platform to identify a new session, wherein the serviceprovider network includes a 5G network or a converged 5G network;extracting network access identifier information for user trafficassociated with the new session at the security platform; anddetermining a security policy to apply at the security platform to thenew session based on the network access identifier information.

In one embodiment, the network access identifier is identified by aNetwork Access Identifier (NAI) related information, wherein the NAI isassociated with a user identity submitted by a client during a networkaccess authentication.

In some embodiments, a system/process/computer program product forproviding multi-access distributed edge security in mobile networksfurther includes providing service-based security (e.g., performed usinga security policy implemented by a security platform that can beapplied) per International Mobile Subscription Identity (IMSI) in a 5Gnetwork.

In some embodiments, a system/process/computer program product forproviding multi-access distributed edge security in mobile networksfurther includes providing service-based security (e.g., performed usinga security policy implemented by a security platform that can beapplied) per Network Access Identifier (NAI) in a 5G network.

In some embodiments, a system/process/computer program product forproviding multi-access distributed edge security in mobile networksfurther includes providing service-based security (e.g., performed usinga security policy implemented by a security platform that can beapplied) per International Mobile Equipment Identifier (IMEI) in a 5Gnetwork.

In some embodiments, a system/process/computer program product forproviding multi-access distributed edge security in mobile networksfurther includes providing service-based security (e.g., performed usinga security policy implemented by a security platform that can beapplied) per Mobile Subscriber ISDN (MSISDN) in a 5G network.

In some embodiments, a system/process/computer program product forproviding multi-access distributed edge security in mobile networksfurther includes providing service-based security (e.g., performed usinga security policy implemented by a security platform that can beapplied) per IMSI, IMEI, MSISDN, and/or NAI to provide threatidentification and prevention (e.g., for a customer with multiplesubscribers, mobile subscribers, and subscriber's devices) at themulti-access distributed edge locations in 5G networks.

In some embodiments, a system/process/computer program product forproviding multi-access distributed edge security in mobile networksfurther includes providing service-based security (e.g., performed usinga security policy implemented by a security platform that can beapplied) per IMSI, IMEI, MSISDN, and/or NAI to provide applicationidentification (APP ID) and control (e.g., for a customer with multiplesubscribers, mobile subscribers, and subscriber's devices) at themulti-access distributed edge locations in 5G networks.

In some embodiments, a system/process/computer program product forproviding multi-access distributed edge security in mobile networksfurther includes providing service-based security (e.g., performed usinga security policy implemented by a security platform that can beapplied) per IMSI, IMEI, MSISDN, and/or NAI to provide Uniform ResourceLocator (URL) filtering (e.g., for a customer with multiple subscribers,mobile subscribers, and subscriber's devices) at the multi-accessdistributed edge locations in 5G networks.

As an example, mobile network operators can use the disclosed securityplatform and techniques to secure a multi-access distributed edge-basednetwork in 5G networks.

As another example, mobile network operators can use the disclosedsecurity platform and techniques to provide various security services toindustry verticals utilizing edge computing solutions in 5G networks,such as factories/warehouses, airports, transit stations, malls, contentproviders, connected vehicles, and/or various Internet of Things (IoT)devices (e.g., Cellular IoT (CIoT) devices that connect to a networkusing 5G radio access technology and handover from/to 5G to non-5Gaccess technologies).

These and other embodiments and examples for providing multi-accessdistributed edge security in mobile networks will be further describedbelow.

Example System Architectures for Implementing Enhanced Security for 5GNetworks for Service Providers

Generally, 5G is the 5^(th) generation of the mobile communicationssystem. The 3rd Generation Partnership Project (3GPP) (e.g., 3GPPincludes seven telecommunications standard development organizations(ARIB, ATIS, CCSA, ETSI, TSDSI, TTA, TTC). The project covers cellulartelecommunications network technologies, including radio access, thecore transport network, and service capabilities. The specificationsalso provide hooks for non-radio access to the core network, and forinterworking with Wi-Fi networks) and other organizations including ITU,IETF, and ETSI are developing 5G standards. Some of the improvements ofthe new 5G network standards include, for example, low latency (e.g.,approximately less than 10 milliseconds (MS)), high throughput (e.g.,multi-Gbps), distribution, network function virtualizationinfrastructure, as well as orchestration, analytics, and automation.

The 5G architecture is defined in 3GPP TS 23.501 v15.3.0 (e.g.,available athttps://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3144)as service-based, and the interaction between Network Functions (NFs) isrepresented in two ways: (1) service-based representation, where NFswithin the Control Plane (CP) enable other authorized network functionsto access their services; and (2) reference point representation,focuses on the interactions between pairs of NFs defined bypoint-to-point reference points between any two network functions.

In the 5G architecture, the User Plane Protocol stack between the accessnetwork and the core over the backbone network over the N3 interface(e.g., between a Radio Access Network (RAN) and a UPF element) will bebased on the GPRS Tunnel Protocol User Plane (GTP-U) over UDP protocol(e.g., such as shown in FIG. 1E as further described below), and alsoover the N4 interface (e.g., between a UPF element and SMF element) willbe based on the Packet Forwarding Control Protocol (PFCP) over UDPprotocol (e.g., such as shown in FIG. 1E as further described below).The Control Plane NFs in the 5G system architecture shall be based onthe service-based architecture. HTTP/2 will be the protocol used overservice-based interfaces. A new 5G Access Network protocol will be basedover Stream Control Transmission Protocol (SCTP).

Accordingly, in some embodiments, the disclosed techniques includeproviding a security platform (e.g., PANOS executing on an NGFWavailable from Palo Alto Networks, Inc. or another securityplatform/NFGW) configured to provide DPI capabilities (e.g., includingstateful inspection) of, for example, GTP-U sessions and new HTTP/2based TCP sessions that facilitate a correlation between monitored GTP-Utunnel sessions and new HTTP/2 based TCP sessions as further describedbelow, and as another example, correlation between monitored GTP-Utunnels (e.g., on the N3 interface) and PFCP sessions (e.g., on the N4interface) as further described below.

In some embodiments, a security platform (e.g., PANOS executing on anNGFW available from Palo Alto Networks, Inc. or another securityplatform/NFGW) is configured to provide the following DPI capabilities:stateful inspection of N3 GTP-U tunnels and/or N4 GTP-U tunnels; contentinspection of N3 GTP-U tunnels (e.g., to inspect content of inner IPsession of N3 GTP-U tunnels) and/or N4 PFCP sessions (e.g., to inspectcontent of N4 PFCP sessions); support for 3GPP Technical Specification(TS) 29.274 V15.3.0 Release 15 (e.g., and later releases) for Proceduresfor the 5G system to support 5G cellular technology; and support for3GPP Technical Specification (TS) 29.281 V15.4.0 Release 14 (e.g., andlater releases) for GTP-U protocol.

FIG. 1A is a block diagram of a 5G wireless network with a securityplatform for providing 5G multi-access security in mobile networks inaccordance with some embodiments. FIG. 1A is an example service providernetwork environment for a multi-access 5G network architecture thatincludes a Security Platform 102 a and a Security Platform 102 b in aControl Plane/signaling Network (e.g., each of the security platformscan be implemented using a firewall (FW)/Next Generation Firewall(NGFW), a network sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies using thedisclosed techniques) for providing 5G multi-access security as furtherdescribed below. As shown, the 5G network can also include Fixed/Wiredaccess as shown at 104, Non-3GPP access such as Wi-Fi Access as shown at106, 5G Radio Access Network (RAN) access as shown at 108, 4G RAN accessas shown at 110, and/or other networks (not shown in FIG. 1A) tofacilitate data communications for subscribers (e.g., using UserEquipment (UE), such as smart phones, laptops, computers (which may bein a fixed location), and/or other cellular enabled computingdevices/equipment, such as CIoT devices, or other network communicationenabled devices) including over a Local Data Network (e.g., enterprisenetwork) 112 and a Data Network (e.g., the Internet) 120 to accessvarious applications, web services, content hosts, etc. and/or othernetworks. As shown in FIG. 1A, each of the 5G network access mechanisms104, 106, 108, and 110 are in communication with 5G User Plane Functions114 a, which pass through Security Platform 102 a, and 5G User PlaneFunctions 114 a are in communication with 5G User Plane Functions 114 b.As shown, 4G RAN 110 and 5G RAN 108 are in communication with 5G CoreControl/Signaling Functions 118, which is in communication with 5G UserPlane Functions 114 b.

Referring to FIG. 1A, network traffic communications are monitored usingSecurity Platforms 102 a and 102 b. For example, Security Platform 102 acan also be in communication with security platform 102 b to facilitatethe disclosed techniques, such as for providing a correlation betweenmonitored GTP-U tunnel sessions and new HTTP/2 based TCP sessions asfurther described below. As shown, network traffic communications aremonitored/filtered in the 5G network using Security Platforms 102 a and102 b (e.g., (virtual) devices/appliances that each include a firewall(FW), a network sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies using thedisclosed techniques) configured to perform the disclosed securitytechniques as further described below. In addition, Security Platforms102 a and/or 102 b can also be in network communication with a CloudSecurity Service 122 (e.g., a commercially available cloud-basedsecurity service, such as the WildFire™ cloud-based malware analysisenvironment that is a commercially available cloud security serviceprovided by Palo Alto Networks, Inc., which includes automated securityanalysis of malware samples as well as security expert analysis, or asimilar solution provided by another vendor can be utilized), such asvia the Internet. For example, Cloud Security Service 122 can beutilized to provide the Security Platforms with dynamic preventionsignatures for malware, DNS, URLs, CNC malware, and/or other malware aswell as to receive malware samples for further security analysis. Aswill now be apparent, network traffic communications can bemonitored/filtered using one or more security platforms for networktraffic communications in various locations within the 5G network tofacilitate 5G multi-access security.

FIG. 1B is a block diagram of a 5G wireless network with a securityplatform for providing 5G multi-edge security in mobile networks inaccordance with some embodiments. FIG. 1B is an example service providernetwork environment for a multi-edge 5G network architecture thatincludes Security Platforms in various locations on the edge of the 5Gnetwork as shown at 102 a, 102 b, 102 c, and 102 d for monitoringcommunications to 5G User Plane Functions 114 a-c and Local DataNetworks 112 a-b as well as Security Platform 102 e for monitoringcommunications to 5G Core Control/Signaling Functions 118 in CoreNetwork 116 (e.g., each of the security platforms can be implementedusing a firewall (FW)/Next Generation Firewall (NGFW), a network sensoracting on behalf of the firewall, or another device/component that canimplement security policies using the disclosed techniques) forproviding 5G multi-edge security as further described below.

Referring to FIG. 1B, network traffic communications are monitored usingSecurity Platforms 102 a-e. For example, Security Platforms 102 a and102 b can also be in communication with Security Platform 102 e tofacilitate the disclosed techniques, such as for providing a correlationbetween monitored GTP-U tunnel sessions and new HTTP/2 based TCPsessions as further described below. As shown, network trafficcommunications are monitored/filtered in the 5G network using SecurityPlatforms 102 a-e (e.g., (virtual) devices/appliances that each includesa firewall (FW), a network sensor acting on behalf of the firewall, oranother device/component that can implement security policies using thedisclosed techniques) configured to perform the disclosed securitytechniques as further described below. As similarly described above withrespect to FIG. 1A, one or more of Security Platforms 102 a-e can alsobe in network communication with a Cloud Security Service 122 (not shownin FIG. 1B) (e.g., a commercially available cloud-based securityservice, such as the WildFire′ cloud-based malware analysis environmentthat is a commercially available cloud security service provided by PaloAlto Networks, Inc., which includes automated security analysis ofmalware samples as well as security expert analysis, or a similarsolution provided by another vendor can be utilized), such as via theInternet. For example, Cloud Security Service 122 can be utilized toprovide the Security Platforms with dynamic prevention signatures formalware, DNS, URLs, CNC malware, and/or other malware as well as toreceive malware samples for further security analysis. As will now beapparent, network traffic communications can be monitored/filtered usingone or more security platforms for network traffic communications invarious locations within the 5G network to facilitate 5G multi-edgesecurity.

FIG. 1C is a block diagram of a 5G wireless network with a securityplatform for providing a 5G roaming security—home routed scenario inmobile networks in accordance with some embodiments. FIG. 1C is anexample service provider network environment for a roaming 5G networkarchitecture that includes a Security Platform for monitoringcommunications to 5G User Plane Function 114-b and Roaming/PeeringNetwork 124 as well as for monitoring communications to 5G CoreControl/Signaling Functions 118 (e.g., the security platform can beimplemented using a firewall (FW)/Next Generation Firewall (NGFW), anetwork sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies using thedisclosed techniques) for providing 5G roaming security as furtherdescribed below.

Referring to FIG. 1C, network traffic communications are monitored usingSecurity Platform 102 a. Specifically, in this roaming security—homerouted scenario, a single firewall monitors both control plane (HTTP/2)traffic and user plane (GTP-U) traffic (e.g., the N32 interface carriescontrol plane traffic, and the N9 interface carries GTP-U traffic asshown in FIG. 1C). For example, Security Platform 102 a can facilitatethe disclosed techniques, such as for providing a correlation betweenmonitored GTP-U tunnel sessions and new HTTP/2 based TCP sessions asfurther described below. As shown, network traffic communications aremonitored/filtered in the 5G network using Security Platform 102 a(e.g., (virtual) device/appliance that includes a firewall (FW), anetwork sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies using thedisclosed techniques) configured to perform the disclosed securitytechniques as further described below. As similarly described above withrespect to FIG. 1A, Security Platform 102 a can also be in networkcommunication with a Cloud Security Service 122 (not shown in FIG. 1C)(e.g., a commercially available cloud-based security service, such asthe WildFire™ cloud-based malware analysis environment that is acommercially available cloud security service provided by Palo AltoNetworks, Inc., which includes automated security analysis of malwaresamples as well as security expert analysis, or a similar solutionprovided by another vendor can be utilized), such as via the Internet.For example, Cloud Security Service 122 can be utilized to provide theSecurity Platforms with dynamic prevention signatures for malware, DNS,URLs, CNC malware, and/or other malware as well as to receive malwaresamples for further security analysis. As will now be apparent, networktraffic communications can be monitored/filtered using one or moresecurity platforms for network traffic communications in variouslocations within the 5G network to facilitate 5G roaming security.

FIG. 1D is a block diagram of a 5G wireless network with securityplatforms for providing a 5G roaming security—local breakout scenario inmobile networks in accordance with some embodiments. FIG. 1D is anexample service provider network environment for a roaming 5G networkarchitecture that includes Security Platforms in various locations onthe edge of the 5G network including Security Platform 102 a formonitoring communications to 5G User Plane Functions 114 a-b and LocalData Network 112 and Roaming/Peering Network 124 as well as SecurityPlatform 102 b for monitoring communications to 5G CoreControl/Signaling Functions 118 (e.g., each of the security platformscan be implemented using a firewall (FW)/Next Generation Firewall(NGFW), a network sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies using thedisclosed techniques) for providing 5G roaming security as furtherdescribed below.

Referring to FIG. 1D, network traffic communications are monitored usingSecurity Platforms 102 a and 102 b. Specifically, in this roamingsecurity—local breakout scenario, the N32 interface carries controlplane traffic, and the N3 interface is the interface between 5G RAN andUser Plane functions carrying GTP-U traffic. For example, SecurityPlatform 102 a can also be in communication with Security Platform 102 bto facilitate the disclosed techniques, such as for providing acorrelation between monitored GTP-U tunnel sessions and new HTTP/2 basedTCP sessions as further described below. As shown, network trafficcommunications are monitored/filtered in the 5G network using SecurityPlatforms 102 a and 102 b (e.g., (virtual) devices/appliances that eachincludes a firewall (FW), a network sensor acting on behalf of thefirewall, or another device/component that can implement securitypolicies using the disclosed techniques) configured to perform thedisclosed security techniques as further described below. As similarlydescribed above with respect to FIG. 1A, one or more of SecurityPlatforms 102 a and 102 b can also be in network communication with aCloud Security Service 122 (not shown in FIG. 1D) (e.g., a commerciallyavailable cloud-based security service, such as the WildFire™cloud-based malware analysis environment that is a commerciallyavailable cloud security service provided by Palo Alto Networks, Inc.,which includes automated security analysis of malware samples as well assecurity expert analysis, or a similar solution provided by anothervendor can be utilized), such as via the Internet. For example, CloudSecurity Service 122 can be utilized to provide the Security Platformswith dynamic prevention signatures for malware, DNS, URLs, CNC malware,and/or other malware as well as to receive malware samples for furthersecurity analysis. As will now be apparent, network trafficcommunications can be monitored/filtered using one or more securityplatforms for network traffic communications in various locations withinthe 5G network to facilitate 5G roaming security.

FIG. 1E is a block diagram of a 5G wireless network with a securityplatform for providing 5G multi-access distributed edge security inmobile networks in accordance with some embodiments. FIG. 1E is anexample service provider network environment for a multi-accessdistributed edge 5G network architecture that includes a SecurityPlatform 102 a and a Security Platform 102 b in various locations formonitoring communications to 5G User Plane Functions 114 a-c and LocalData Networks 112 a-b and to 5G Core Control/Signaling Functions 118 inCore Network 116 (e.g., each of the security platforms can beimplemented using a firewall (FW)/Next Generation Firewall (NGFW), anetwork sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies using thedisclosed techniques) for providing 5G multi-access security as furtherdescribed below. As shown, the 5G network can also include Fixed/Wiredaccess as shown at 104, Non-3GPP access such as Wi-Fi Access as shown at106, 5G Radio Access Network (RAN) access as shown at 108, 4G RAN accessas shown at 110, and/or other networks (not shown in FIG. 1E) tofacilitate data communications for subscribers (e.g., using UserEquipment (UE), such as smart phones, laptops, computers (which may bein a fixed location), and/or other cellular enabled computingdevices/equipment, such as CIoT devices, or other network communicationenabled devices) including over a Local Data Network (e.g., enterprisenetwork) as shown at 112 a and 112 b and a Central Data Network (e.g.,the Internet) 120 to access various applications, web services, contenthosts, etc. and/or other networks. As shown in FIG. 1E, each of the 5Gnetwork access mechanisms 104, 106, 108, and 110 are in communicationwith 5G User Plane Function 114 a, which pass through Security Platform(e.g., NGFW) 102 a, and 5G User Plane Function 114 b, which pass throughSecurity Platform (e.g., NGFW) 102 b. As shown, 4G RAN 110 and 5G RAN108 are in communication with 5G Core Control/Signaling Functions (SMF)118, which are in communication with 5G User Plane Function 114 c.

Referring to FIG. 1E, network traffic communications are monitored usingSecurity Platforms 102 a and/or 102 b. For example, Security Platforms102 a and/or 102 b can be configured to facilitate the disclosedtechniques (e.g., and, optionally, can be in communication with eachother, with cloud security 122 (as shown with respect to SecurityPlatform 102 a), and/or with other security platforms (not shown)), suchas for providing a correlation between monitored GTP-U tunnels (e.g., onthe N3 interface) and PFCP sessions (e.g., on the N4 interface) asfurther described below. As shown, network traffic communications aremonitored/filtered in the 5G network using Security Platforms 102 aand/or 102 b (e.g., (virtual) devices/appliances that each include afirewall (FW), a network sensor acting on behalf of the firewall, oranother device/component that can implement security policies using thedisclosed techniques) configured to perform the disclosed securitytechniques as further described below. In addition, Security Platforms102 a and/or 102 b can also be in network communication with a CloudSecurity Service 122 (e.g., a commercially available cloud-basedsecurity service, such as the WildFire™ cloud-based malware analysisenvironment that is a commercially available cloud security serviceprovided by Palo Alto Networks, Inc., which includes automated securityanalysis of malware samples as well as security expert analysis, or asimilar solution provided by another vendor can be utilized), such asvia the Internet. For example, Cloud Security Service 122 can beutilized to provide the Security Platforms with dynamic preventionsignatures for malware, DNS, URLs, CNC malware, and/or other malware aswell as to receive malware samples for further security analysis. Aswill now be apparent, network traffic communications can bemonitored/filtered using one or more security platforms for networktraffic communications in various locations within the 5G network tofacilitate 5G multi-access distributed edge (e.g., MEC) security.

Thus, these and various other example network architectures can utilizethe disclosed security techniques for 5G mobile network environments inwhich one or more security platforms can be provided to perform trafficmonitoring and filtering to provide new and enhanced 5G related securitytechniques, including enhanced 5G related MEC security techniques, for5G mobile networks for service providers based on signaling and DPIinformation as further described below. As will now be apparent to oneof ordinary skill in the art in view of the disclosed embodiments, oneor more security platforms can similarly be provided in various otherlocations within these network architectures (e.g., an inline,pass-through NGFW, such as shown by Security Platforms as shown in FIGS.1A-E, and/or implemented as agents or virtual machines (VM) instances,which can be executed on existing devices in the service provider'snetwork, such as entities within the 5G User Plane Functions and/orwithin the 5G Core Control/Signaling Functions as shown in FIGS. 1A-E)and in various wireless network environments to perform the disclosedsecurity techniques as further described below.

Network Slice-Based Security in 5G Networks

Network slice is a logical network within a Public Land Mobile Network(PLMN), which can provide functionality of a complete network, includingRadio Access Network (RAN) functions, core network control plane, anduser plane functions. One network can support one or several networkslices. Generally, network slicing allows the operator (e.g., serviceprovider of the 5G network) to provide customized networks. For example,there can be different requirements on functionality (e.g., priority,charging, policy control, security, and mobility), differences inperformance requirements (e.g., latency, mobility, availability,reliability and data rates), or they can serve only specific users(e.g., MPS users, Public Safety users, corporate customers, roamers, orhosting a Mobile Virtual Network Operator (MVNO)).

Network slice is identified by S-NSSAI (Single Network Slice SelectionAssistance Information). In an example 5G standard implementation,S-NSSAI includes a Slice/Service type (SST), 8 bits and SliceDifferentiator (SD), and optional information, 24 bits. As furtherdescribed herein, the network slice information can be monitored andextracted for applying security in 5G networks in accordance with someembodiments.

In some embodiments, network slice-based security is performed using asecurity platform located in a 5G mobile network by parsing HTTP/2messages to extract network slice information. In an exampleimplementation, HTTP/2 is used in a service-based interface as specifiedin 3GPP TS 29.500 V15.1.0 Based on the security platform deploymenttopology in the 5G network, the network slice information can beextracted from two service operation control messages as follows:

(1) Nsmf_PDUSession_CreateSMContext Request: It is used in a Create SMContext service operation as defined in 3GPP TS 29.502 V 15.3.0 tocreate an individual SM context, for a given PDU session, in the SMF, orin the V-SMF for HR roaming scenarios.

(2) Nsmf_PDUSession_Create Request: It is used in a Create serviceoperation as defined in 3GPP TS 29.502 V 15.3.0 to create an individualPDU session in the H-SMF for HR roaming scenarios.

Specifically, the Nsmf_PDUSession_CreateSMContext Request is used in thefollowing procedures:

(1) UE requested PDU session establishment procedure in the non-roamingand roaming with local breakout case defined in sub clause 4.3.2 in 3GPPTS 23.502 V15.3.0. Nsmf_PDUSession_CreateSMContext Request is sent fromAMF to SMF as further described below with respect to FIG. 2A.

FIG. 2A is an example flow of UE-requested PDU session establishment fornon-roaming and roaming with local breakout in a 5G network inaccordance with some embodiments. Referring to FIG. 2A, a first messagethat is sent from AMF 206 to SMF 210 is anNsmf_PDUSession_CreateSMContext Request message as shown at 202. TheNsmf_PDUSession_CreateSMContext Request message is used in a Create SMContext service operation as defined in 3GPP TS 29.502 V 15.3.0 tocreate an individual SM context, for a given PDU session, in the SMF, orin the V-SMF for HR roaming scenarios. In response, anNsmf_PDUSession_CreateSMContext Response message is sent from SMF 210 toAMF 206 as shown at 204.

FIG. 2B is an example flow of UE-requested PDU session establishment andmodification/update for non-roaming and roaming with local breakout in a5G network in accordance with some embodiments. Referring to FIG. 2B, anNsmf_PDUSession_UpdateSMContext Request message is sent from AMF 206 toSMF 210 as shown at 212. In response, an Nsmf_PDUSession_UpdateSMContextResponse message is sent from SMF 210 to AMF 206 as shown at 214.

FIG. 2C is an example flow of EPS to 5GS idle mode mobility or handoverusing the N26 interface in a 5G network in accordance with someembodiments. For example, the EPS to 5GS idle mode mobility or handoverusing the N26 interface case is defined in sub clause 4.11 in 3GPP TS23.502 V15.2.0. The Nsmf_PDUSession_Create Request is sent from theV-SMF to the H-SMF. The Nsmf_PDUSession_CreateSMContext Request is sentfrom the AMF to the SMF+PGW-C. The Nsmf_PDUSession_CreateSMContextRequest is sent from the AMF to the V-SMF in case of home routedscenario. Referring to FIG. 2C, a first message that is sent from MME220 to SMF+PGW-C 222 is an Nsmf_PDUSession_CreateSMContext Requestmessage as shown at 224. In response, an Nsmf_PDUSession_CreateSMContextResponse message is sent from SMF+PGW-C 222 to MME 220 as shown at 226.

FIG. 2D is an example flow of a mobility procedure from EPS to 5GSwithout using the N26 interface in a 5G network in accordance with someembodiments. For example, the EPS to 5GS mobility without N26 interfacecase defined in sub clause 4.11.2.3 in 3GPP TS 23.502 V15.2.0. TheNsmf_PDUSession_Create Request is sent from the V-SMF to the H-SMF. TheNsmf_PDUSession_CreateSMContext Request is sent from the New AMF 230 tothe SMF+PGW-C 232. Referring to FIG. 2D, anNsmf_PDUSession_CreateSMContext Request message is exchanged during theUE requested PDU Session Establishment Procedure as shown at 234.

FIG. 2E is an example flow of a handover of a PDU session between 3GPPaccess and non-3GPP access in which the target AMF does not know the SMFresource identifier of the SM context used by the source AMF in a 5Gnetwork in accordance with some embodiments. One example is handover ofa PDU session between 3GPP access and non-3GPP access in which thetarget AMF does not know the SMF resource identifier of the SM contextused by the source AMF in a 5G network, such as when the target AMF isnot in the PLMN of the N3IWF as defined in sub clause 4.9.2.3.2 in 3GPPTS 23.502 V15.2.0. The Nsmf_PDUSession_CreateSMContext Request is sentfrom the AMF 236 to the V-SMF 238. Referring to FIG. 2E, anNsmf_PDUSession_CreateSMContext Request message is exchanged during theUE requested UE Session Establishment Procedure as shown at 240.

FIG. 2F is an example flow of a handover of a PDU session from 3GPPaccess to untrusted non-3GPP access with N3IWF in the HPLMN (home routedroaming) in a 5G network in accordance with some embodiments. Forexample, this example addresses a use case scenario of when the UE isroaming and the selected N3IWF is in the HPLMN as defined in sub clause4.9.2.4.2 of 3GPP TS 23.502. The Nsmf_PDUSession_Create Request is sentfrom V-SMF to H-SMF. The Nsmf_PDUSession_CreateSMContext Request is sentfrom the AMF 242 to the H-SMF 244. Referring to FIG. 2F, anNsmf_PDUSession_CreateSMContext Request message is exchanged during thePDU Session Establishment Procedure as shown at 246.

FIG. 2G is an example flow of a handover of an EPS to 5GC-N3IWF in a 5Gnetwork in accordance with some embodiments. For example, this exampleaddresses a use case scenario of a handover of an EPS to 5GC-N3IWF asdefined in sub clause 4.11.3.1 of 3GPP TS 23.502. TheNsmf_PDUSession_CreateSMContext Request is sent from the AMF 248 to thePGW+SMF/UPF 250. Referring to FIG. 2G, anNsmf_PDUSession_CreateSMContext Request message is exchanged during thePDU Session Establishment Procedure as shown at 252.

FIG. 2H is an example flow of a handover of an EPC/ePDG to 5GS in a 5Gnetwork in accordance with some embodiments. For example, this exampleaddresses a use case scenario of a handover of an EPC/ePDG to 5GS asdefined in sub clause 4.11.4.1 of 3GPP TS 23.502. TheNsmf_PDUSession_CreateSMContext Request is sent from AMF 254 toPGW+SMF/UPF. Referring to FIG. 2H, an Nsmf_PDUSession_CreateSMContextRequest message is exchanged during the PDU Session EstablishmentProcedure as shown at 258.

FIG. 2I is an example flow of a UE-requested PDU session establishmentfor home routed roaming scenarios in a 5G network in accordance withsome embodiments. For example, this example addresses a use casescenario of a UE-requested PDU session establishment as defined in subclause 4.3.2.2.2 of 3GPP TS 23.502. The Nsmf_PDUSession_Create Requestis sent from V-SMF 260 to H-SMF 262. Referring to FIG. 2I, anNsmf_PDUSession_CreateRequest message is exchanged during the PDUSession Establishment Procedure as shown at 264.

FIG. 2J is an example flow of a UE-requested PDU session establishmentand modification/update for home routed roaming scenarios in a 5Gnetwork in accordance with some embodiments. Referring to FIG. 2J, anNsmf_PDUSession_UpdateSMContextRequest message is exchanged during thePDU Session Establishment Procedure as shown in FIG. 2J as shown at 270between AMF 266 and H-SMF 268.

In one embodiment, the security platform monitors these messages such asdescribed above with respect to FIGS. 2A-2J to extract network slicerelated information and/or other parameters/information, such asdescribed herein, that is included within these messages based on asecurity policy (e.g., monitoring Nsmf_PDUSession_CreateSMContextRequest and/or other messages using a pass through firewall/NGFW that islocated between various entities in the 5G core network or using afirewall/NGFW implemented as VM instances or agents executed on variousentities in the 5G core network). For example, the security platform canmonitor these messages and extract the Nsmf_PDUSession_CreateSMContextRequest message and/or other messages to obtain network sliceinformation (e.g., S-NSSAI, which includes a Slice/Service type (SST), 8bits and Slice Differentiator (SD), and optional information, 24 bits),such as further described below.

In one embodiment, the disclosed techniques perform inspection ofsignaling/control traffic in service provider networks, such as HTTP/2traffic, and inspection of tunneled user traffic (e.g., including the N3GTP-U tunnel between the RAN and UPF, or N9 GTP-U tunnel between UPF's)in service provider networks, such as GTP-U traffic (e.g., using asecurity platform, such as implemented using an NGFW that is capable ofperforming DPI to identify an APP ID, a user ID, a content ID, performURL filtering, and/or other firewall/security policies forsecurity/threat detection/prevention). In one embodiment, the disclosedtechniques perform inspection of signaling/control traffic in serviceprovider networks, such as HTTP/2 traffic, to extract informationexchanged in the HTTP/2 traffic (e.g., parameters, such as Network Sliceinformation, Data Network Name (DNN), Subscription Permanent Identifier(SUPI), Permanent Equipment Identifier (PEI), General PublicSubscription Identifier (GPSI), and User Location information, such asfurther described below). In one embodiment, the disclosed techniquesperform inspection of signaling/control traffic in service providernetworks, such as HTTP/2 traffic, to extract information exchanged inthe HTTP/2 traffic (e.g., parameters, such as described above andfurther described below) as well as to monitor tunneled user traffic inservice provider networks (e.g., using DPI, such as described above andfurther described below) for use in applying a security policy based onthis extracted information and/or in combination with DPI, such asfurther described below.

These and other techniques for providing enhanced security in 5Gnetworks for service providers based on Network Slice information, DataNetwork Name (DNN), Subscription Permanent Identifier (SUPI), PermanentEquipment Identifier (PEI), General Public Subscription Identifier(GPSI), and User Location information (e.g., and/or in combination withother DPI and/or NGFW techniques, such as Application-ID, user ID,content ID, URL filtering, etc.) will be further described below.

Service-Based Security Per Data Network Name in 5G Networks

Techniques for service-based security per Data Network Name are alsodisclosed in accordance with some embodiments. In 5G networks, the DataNetwork Name (DNN) is generally equivalent to an Access Point Name (APN)(e.g., APN is a reference to a PGW/GGSN and it identifies the form ofaccess to another network, such as the Internet, and is composed of twoparts: (1) APN Network Identifier (mandatory); and (2) APN OperatorIdentifier (optional)) as defined in TS 23.003 V15.3.0. Both identifiershave an equivalent meaning and carry the same information. The DNN maybe used, for example, to: (1) select an SMF and UPF(s) for a PDUSession; (2) select an interface (N6) to Data Network for a PDU Session;and/or (3) determine policies to apply to this PDU Session.

In some embodiments, service-based security per Data Network Name (DNN)is applied using a security platform in 5G networks by parsing HTTP/2messages to extract DNN information.

As similarly described above, based on the security platform deploymenttopology in the 5G network, the Network Slice information can beextracted from two service operation control messages: (1)Nsmf_PDUSession_CreateSMContext Request; and (2) Nsmf_PDUSession_CreateRequest.

These and other techniques for providing enhanced security in 5Gnetworks for service providers based on Network Slice information, DataNetwork Name (DNN), Subscription Permanent Identifier (SUPI), PermanentEquipment Identifier (PEI), General Public Subscription Identifier(GPSI), and User Location information (e.g., and/or in combination withother DPI and/or NGFW techniques, such as Application-ID, user ID,content ID, URL filtering, etc.) will be further described below.

Service-Based Security Per Subscription Permanent Identifier in 5GNetworks

Techniques for service-based security per Subscription PermanentIdentifier are also disclosed in accordance with some embodiments. In 5Gnetworks, the Subscription Permanent Identifier (SUPI) is a globallyunique 5G subscription identifier allocated to each subscriber in the 5Gsystem. It is only inside the 3GPP system and defined in sub clause5.9.2 of 3GPP TS 23.501 V15.3.0.

For example, the SUPI may include the following: (1) an IMSI (e.g., IMSIis a unique 15 digit number allocated to each mobile subscriber in theGSM/UMTS/EPS system) as defined in 3GPP TS 23.003 V15.3.0; and (2)Network-Specific Identifier (e.g., NAI is the user identity submitted bythe client during network access authentication. In roaming, the purposeof the NAI is to identify the user as well as to assist in the routingof the authentication request), used for private networks as defined in3GPP TS 23.003 V15.3.0.

In some embodiments, service-based security per Subscription PermanentIdentifier (SUPI) is applied using a security platform in 5G networks byparsing HTTP/2 messages to extract SUPI information.

As similarly described above, based on the security platform deploymenttopology in the 5G network, the Network Slice information can beextracted from two service operation control messages: (1)Nsmf_PDUSession_CreateSMContext Request; and (2) Nsmf_PDUSession_CreateRequest.

These and other techniques for providing enhanced security in 5Gnetworks for service providers based on Network Slice information, DataNetwork Name (DNN), Subscription Permanent Identifier (SUPI), PermanentEquipment Identifier (PEI), General Public Subscription Identifier(GPSI), and User Location information (e.g., and/or in combination withother DPI and/or NGFW techniques, such as Application-ID, user ID,content ID, URL filtering, etc.) will be further described below.

Service-Based Security Per Permanent Equipment Identifier in 5G Networks

Techniques for service-based security per Permanent Equipment Identifierare also disclosed in accordance with some embodiments. In 5G networks,the Permanent Equipment Identifier (PEI) is defined for the 3GPP UEaccessing the 5G System. The PEI can assume different formats fordifferent UE types and use cases.

For example, if the UE supports at least one 3GPP access technology, theUE must be allocated a PEI in the IMEI format (e.g., IMEI is a unique 15or 16 digit number allocated to each mobile station equipment). As perthe latest release standards, the only formats supported for the PEIparameter are IMEI and IMEISV, as defined in TS 23.003 V15.3.0.

In some embodiments, service-based security per Permanent EquipmentIdentifier (PEI) is applied using a security platform in 5G networks byparsing HTTP/2 messages to extract PEI information.

As similarly described above, based on the security platform deploymenttopology in the 5G network, the PEI information can be extracted fromtwo service operation control messages: (1)Nsmf_PDUSession_CreateSMContext Request; and (2) Nsmf_PDUSession_CreateRequest.

These and other techniques for providing enhanced security in 5Gnetworks for service providers based on Network Slice information, DataNetwork Name (DNN), Subscription Permanent Identifier (SUPI), PermanentEquipment Identifier (PEI), General Public Subscription Identifier(GPSI), and User Location information (e.g., and/or in combination withother DPI and/or NGFW techniques, such as Application-ID, user ID,content ID, URL filtering, etc.) will be further described below.

Service-Based Security Per General Public Subscription Identifier in 5GNetworks

Techniques for service-based security per General Public SubscriptionIdentifier are also disclosed in accordance with some embodiments.Generally, the General Public Subscription Identifier (GPSI) is a publicidentifier used both inside and outside of the 3GPP system.

For example, the GPSI is used for addressing a 3GPP subscription indifferent data networks outside of the 3GPP system. Specifically, theGPSI is either an MSISDN (e.g., MS international ISDN numbers areallocated from the ITU-T Recommendation E.164 numbering plan, whichincludes a Country Code (CC) of the country in which the Mobile Stationis registered, followed by: National (significant) mobile number, whichincludes a National Destination Code (NDC) and Subscriber Number (SN))or an External Identifier, as specified in 3GPP TS 23.003 V15.3.0.

In some embodiments, service-based security per General PublicSubscription Identifier (GPSI) is applied using a security platform in5G networks by parsing HTTP/2 messages to extract GPSI information.

As similarly described above, based on the security platform deploymenttopology in the 5G network, the GPSI information can be extracted fromtwo service operation control messages: (1)Nsmf_PDUSession_CreateSMContext Request; and (2) Nsmf_PDUSession_CreateRequest.

These and other techniques for providing enhanced security in 5Gnetworks for service providers based on Network Slice information, DataNetwork Name (DNN), Subscription Permanent Identifier (SUPI), PermanentEquipment Identifier (PEI), General Public Subscription Identifier(GPSI), and User Location information (e.g., and/or in combination withother DPI and/or NGFW techniques, such as Application-ID, user ID,content ID, URL filtering, etc.) will be further described below.

Service-Based Security Per User Location in 5G Networks

Techniques for service-based security per User Location are alsodisclosed in accordance with some embodiments.

In some embodiments, service-based security per User Location is appliedusing a security platform in 5G networks by parsing HTTP/2 messages toextract User Location information.

As similarly described above, based on the security platform deploymenttopology in the 5G network, the User Location information can beextracted from two service operation control messages: (1)Nsmf_PDUSession_CreateSMContext Request; and (2) Nsmf_PDUSession_CreateRequest.

These and other techniques for providing enhanced security in 5Gnetworks for service providers based on Network Slice information, DataNetwork Name (DNN), Subscription Permanent Identifier (SUPI), PermanentEquipment Identifier (PEI), General Public Subscription Identifier(GPSI), and User Location information (e.g., and/or in combination withother DPI and/or NGFW techniques, such as Application-ID, user ID,content ID, URL filtering, etc.) will be further described below.

N4 Session Establishment Procedure in 5G Networks

FIG. 2K is an example flow of a Protocol Data Unit (PDU) sessionestablishment over an N4 interface between a 5G User Plane Function(UPF) and a 5G Core Control/Signaling Session Management Function (SMF)in a 5G network in accordance with some embodiments. Referring to FIG.2K, an SMF 282 receives a trigger to establish a new PDU Session orchange/relocate a UPF 280 for an established PDU Session as shown at272. At 274, SMF 282 sends an N4 session establishment request messageto UPF 280. At 276, UPF 280 responds with an N4 session establishmentresponse message. SMF 282 interacts with the network function thattriggered this procedure (e.g. an Access and Mobility ManagementFunction (AMF) or a Policy Control Function (PCF)). The informationelements and format of the Session Establishment Request and SessionEstablishment Response messages are also further described below withrespect to FIG. 9.

Multi-Access Distributed Edge Security in 5G Networks

In one embodiment, the security platform monitors these N4 sessionestablishment related messages such as described above with respect toFIG. 2K to extract various information and/or otherparameters/information, such as described herein, that is includedwithin these messages based on a security policy (e.g., monitoring N4Session Establishment Request/Response messages and/or other messagesusing a pass through firewall/NGFW that is located between variousentities in the 5G core network or using a firewall/NGFW implemented asVM instances or agents executed on various entities in the 5G corenetwork). For example, the security platform can monitor these messagesand extract the monitoring N4 Session Establishment Request andmonitoring N4 Session Establishment Response messages and/or othermessages to obtain various information and/or otherparameters/information, such as further described below.

In one embodiment, the disclosed techniques perform inspection ofsignaling/control traffic in service provider networks, such as N4session establishment related traffic, and inspection of and correlationbetween monitored tunneled user traffic (e.g., including the N3 GTP-Utunnel between the RAN and UPF) and monitored PFCP sessions (e.g., onthe N4 interface, including between the UPF and SMF or another UPF) inservice provider networks, such as GTP-U traffic (e.g., using a securityplatform, such as implemented using an NGFW that is capable ofperforming DPI to identify an APP ID, a user ID, a content ID, performURL filtering, and/or other firewall/security policies forsecurity/threat detection/prevention). In one embodiment, the disclosedtechniques perform inspection of signaling/control traffic in serviceprovider networks, such as N4 session establishment related traffic(e.g., including PFCP sessions), to extract information exchanged in theN4 session establishment related traffic (e.g., parameters, such asInternational Mobile Subscription Identity (IMSI), International MobileEquipment Identifier (IMEI), Mobile Subscriber ISDN (MSISDN), and/orNetwork Access Identifier (NAI) related information, such as furtherdescribed below) for providing service-based security (e.g., performedusing a security policy implemented by a security platform that can beapplied) per IMSI, IMEI, MSISDN, and/or NAI to provide enhanced securityat the multi-access distributed edge locations in 5G networks. In oneembodiment, the disclosed techniques perform inspection ofsignaling/control traffic in service provider networks, such as N4session establishment related traffic (e.g., including PFCP sessions),to extract information exchanged in the N4 session establishment relatedtraffic (e.g., parameters, such as described above and further describedbelow) as well as to monitor tunneled user traffic in service providernetworks (e.g., using DPI, such as described above and further describedbelow) for use in applying a security policy based on this extractedinformation and/or in combination with DPI for facilitating multi-accessdistributed edge security for 5G mobile/service provider networkenvironments, such as further described below.

These and other techniques for providing multi-access distributed edgesecurity in 5G networks for service providers based on IMSI, IMEI,MSISDN, and/or NAI, (e.g., and/or in combination with other DPI and/orNGFW techniques, such as Application-ID, user ID, content ID, URLfiltering, etc.) will be further described below.

Example Use Cases of Enhanced Security for 5G Networks for ServiceProviders

The disclosed techniques for providing enhanced security for 5Gmobile/service provider networks using a security platform for securitypolicy enforcement can be applied in a variety of additional example usecase scenarios for facilitating enhanced and more flexible and dynamicsecurity for 5G mobile/service provider network environments. Additionalexample use case scenarios will be further described below.

As a first example use case scenario, assume that mobile and convergednetwork operators are offering wireless IoT technologies (e.g., CIoTdevices) including Narrowband IoT (NB-IoT) and LTE-M to IoT/M2Mcustomers, such as utilities (e.g., gas, water, electric, etc.), watermeter management companies, fleet tracking companies, and/or other typesof customers. Most of the CIoT devices do not have compute capabilitiesand resources to provide security functionality and typically are notsecurely coded. As a result, this creates an opportunity for mobile andconverged network operators to offer network-based security services tothese customers that can be provided using the disclosed techniques forenhanced security for CIoT in mobile/service provider networks using asecurity platform for security policy enforcement (e.g., usinginspection and security capabilities on an N3 and interface as describedherein).

As a second example use case scenario, assume that mobile and convergednetwork operators are offering wireless IoT technologies (e.g., CIoTdevices) including Narrowband IoT (NB-IoT) and LTE-M to IoT/M2Mcustomers, such as utilities (e.g., gas, water, electric, etc.), watermeter management companies, fleet tracking companies, and/or other typesof customers. Most of the CIoT devices do not have compute capabilitiesand resources to provide security functionality and typically are notsecurely coded. As a result, this can lead to CIoT device initiatedattacks on the mobile network to which they are connected (e.g., and MECsystem). As similarly described herein, the disclosed techniques forenhanced security for CIoT in mobile/service provider networks using asecurity platform for security policy enforcement including inspectionand security capabilities on an S11-U interface can be performed toprotect the critical network elements of mobile networks from attackingCIoT devices.

Examples of IoT Threats

Example Smart Home vulnerabilities include the Belkin Wemo UPnP RemoteCommand Execution Vulnerability. Example router vulnerabilities includethe following: (1) Quanta LTE Router RCE Vulnerability; (2) NetgearProSAFE Remote Command Execution Vulnerability; (3) ZTE ZXV10 RouterCommand Execution Vulnerability; (4) Netgear Firmadyne Command InjectionVulnerability; (5) Sierra Wireless Unauthenticated Command InjectionVulnerability; and (6) D-Link Router Remote Command ExecutionVulnerability. Camera vulnerabilities, include the Beward IP CameraRemote Command Execution Vulnerability, and Axis Camera Remote CommandExecution Vulnerability. The above-described techniques for applyingDNN, IMEI, and/or Application-ID based security enforcement in serviceprovider networks can be performed to respond to such example routervulnerabilities. As an example, for one DNN, a mobile operator candefine an action block (e.g., to drop and log) for all router relatedremote code execution vulnerabilities. For another DNN, the mobileoperator can choose to define an action alert (e.g., to allow and log)for all router related remote code execution vulnerabilities. As anotherexample, for one Type Allocation Code (TAC) (TAC is first 8 digits ofIMEI used to identify the device make and model including, for example,IoT device, mobile phone, table, wearable, modem, WLAN router), a mobileoperator can define an action block (e.g., to drop and log) for allrouter related remote code execution vulnerabilities. For another groupof IMEI, the mobile operator can choose to define an action alert (e.g.,to allow and log) for all router related remote code executionvulnerabilities.

Mirai (malware) botnet attack is an example botnet attack that primarilytargets online consumer devices, such as IP cameras and home routers. Asan example for one DNN, a mobile operator can define an action block(e.g., to drop and log) for all Mirai Command and Control traffic usingantispyware signatures Threat ID: 13999 and 13974https://threatvault.paloaltonetworks.com/. For another APN, the mobileoperator can choose to define an action alert (e.g., to allow and log)for all Mirai Command and Control traffic. As another example for oneIMSI group defined by prefix or range, a mobile operator can define anaction block (e.g., to drop and log) for all Mirai Command and Controltraffic using antispyware signatures Threat ID: 13999 and 13974https://threatvault.paloaltonetworks.com/. For another IMSI groupdefined by prefix or range, the mobile operator can choose to define anaction alert (e.g., to allow and log) for all Mirai Command and Controltraffic.

As will now be apparent in view of the disclosed embodiments, a networkservice provider/mobile operator (e.g., a cellular service providerentity), a device manufacturer (e.g., an automobile entity, CIoT deviceentity, and/or other device manufacturer), and/or system integrators canspecify such security policies that can be enforced by a securityplatform using the disclosed techniques to solve these and othertechnical network security challenges, including technical networksecurity challenges for providing multi-access distributed edge securityfor 5G mobile/service provider network environments.

Example Hardware Components of a Network Device for Performing EnhancedSecurity for 5G Mobile Networks for Service Providers

FIG. 3 is a functional diagram of hardware components of a networkdevice for performing enhanced security for 5G mobile networks forservice providers in accordance with some embodiments. The example shownis a representation of physical/hardware components that can be includedin network device 300 (e.g., an appliance, gateway, or server that canimplement the security platform disclosed herein). Specifically, networkdevice 300 includes a high performance multi-core CPU 302 and RAM 304.Network device 300 also includes a storage 310 (e.g., one or more harddisks or solid state storage units), which can be used to store policyand other configuration information as well as signatures. In oneembodiment, storage 310 stores IMSI, IMEI, MSISDN, NAI, Network Sliceinformation, Data Network Name (DNN), Subscription Permanent Identifier(SUPI), Permanent Equipment Identifier (PEI), General PublicSubscription Identifier (GPSI), and/or User Location information, andassociated IP addresses and possibly other information (e.g.,Application-ID, Content-ID, User-ID, URL, and/or other information) thatare monitored for implementing the disclosed security policy enforcementtechniques using a security platform/firewall device. Network device 300can also include one or more optional hardware accelerators. Forexample, network device 300 can include a cryptographic engine 306configured to perform encryption and decryption operations, and one ormore FPGAs 308 configured to perform signature matching, act as networkprocessors, and/or perform other tasks.

Example Logical Components of a Network Device for Performing EnhancedSecurity for 5G Mobile Networks for Service Providers

FIG. 4 is a functional diagram of logical components of a network devicefor performing enhanced security for 5G mobile networks for serviceproviders in accordance with some embodiments. The example shown is arepresentation of logical components that can be included in networkdevice 400 (e.g., a data appliance, which can implement the disclosedsecurity platform and perform the disclosed techniques). As shown,network device 400 includes a management plane 402 and a data plane 404.In one embodiment, the management plane is responsible for managing userinteractions, such as by providing a user interface for configuringpolicies and viewing log data. The data plane is responsible formanaging data, such as by performing packet processing and sessionhandling.

Suppose a mobile device attempts to access a resource (e.g., a remoteweb site/server, an IoT device such as a CIoT device, or anotherresource) using an encrypted session protocol, such as SSL. Networkprocessor 406 is configured to monitor packets from the mobile device,and provide the packets to data plane 404 for processing. Flow 408identifies the packets as being part of a new session and creates a newsession flow. Subsequent packets will be identified as belonging to thesession based on a flow lookup. If applicable, SSL decryption is appliedby SSL decryption engine 410 using various techniques as describedherein. Otherwise, processing by SSL decryption engine 410 is omitted.Application identification (APP ID) module 412 is configured todetermine what type of traffic the session involves and to identify auser associated with the traffic flow (e.g., to identify anApplication-ID as described herein). For example, APP ID 412 canrecognize a GET request in the received data and conclude that thesession requires an HTTP decoder 414. As another example, APP ID 412 canrecognize a GTP-U message (e.g., N4 session establishmentrequest/response messages, such as described above with respect to FIG.2K, and conclude that the session requires a GTP decoder) (e.g., toextract information exchanged in the N4 session establishment relatedmessages including various parameters, such as International MobileSubscription Identity (IMSI), International Mobile Equipment Identifier(IMEI), Mobile Subscriber ISDN (MSISDN), and/or Network AccessIdentifier (NAI) related information, such as described above withrespect to FIG. 2K) and conclude that the session requires a GTPdecoder. For each type of protocol, there exists a corresponding decoder414. In one embodiment, the application identification is performed byan application identification module (e.g., APP ID component/engine),and a user identification is performed by another component/engine.Based on the determination made by APP ID 412, the packets are sent toan appropriate decoder 414. Decoder 414 is configured to assemblepackets (e.g., which may be received out of order) into the correctorder, perform tokenization, and extract out information (e.g., such asdescribed above to extract various information exchanged in the N4session establishment related messages as similarly described above andfurther described below with respect to FIG. 9). Decoder 414 alsoperforms signature matching to determine what should happen to thepacket. SSL encryption engine 416 performs SSL encryption using varioustechniques as described herein and the packets are then forwarded usinga forward component 418 as shown. As also shown, policies 420 arereceived and stored in the management plane 402. In one embodiment,policy enforcement (e.g., policies can include one or more rules, whichcan be specified using domain and/or host/server names, and rules canapply one or more signatures or other matching criteria or heuristics,such as for security policy enforcement for subscriber/IP flows onservice provider networks based on various extractedparameters/information from monitored HTTP/2 messages and/or DPI ofmonitored GTP-U traffic as disclosed herein) is applied as describedherein with respect to various embodiments based on the monitored,decrypted, identified, and decoded session traffic flows.

As also shown in FIG. 4, an interface (I/F) communicator 422 is alsoprovided for security platform manager communications (e.g., via (REST)APIs, messages, or network protocol communications or othercommunication mechanisms). In some cases, network communications ofother network elements on the service provider network are monitoredusing network device 400, and data plane 404 supports decoding of suchcommunications (e.g., network device 400, including I/F communicator 422and decoder 414, can be configured to monitor and/or communicate on, forexample, service-based interfaces such as Nsmf, Nnef and reference pointinterfaces such as N3, N4, N9, and/or other interfaces where wired andwireless network traffic flow exists as similarly described herein). Assuch, network device 400 including I/F communicator 422 can be used toimplement the disclosed techniques for security policy enforcement onmobile/service provider network environments as described above and aswill be further described below.

Additional example processes for the disclosed techniques for performingenhanced security for CIoT on mobile/service provider networkenvironments will now be described.

Example Processes for Enhanced Security for 5G Networks for ServiceProviders

FIG. 5 is a flow diagram of a process for performing enhanced securityfor 5G networks for service providers in accordance with someembodiments. In some embodiments, a process 500 as shown in FIG. 5 isperformed by the security platform and techniques as similarly describedabove including the embodiments described above with respect to FIGS.1A-4. In one embodiment, process 500 is performed by data appliance 300as described above with respect to FIG. 3, network device 400 asdescribed above with respect to FIG. 4, a virtual appliance, an SDNsecurity solution, a cloud security service, and/or combinations orhybrid implementations of the aforementioned as described herein.

The process begins at 502. At 502, monitoring network traffic on aservice provider network at a security platform to identify a newsession, wherein the service provider network includes a 5G network or aconverged 5G network, is performed. For example, the security platform(e.g., a firewall, a network sensor acting on behalf of the firewall, oranother device/component that can implement security policies) canmonitor GTP-U and HTTP/2 traffic on the mobile core network as similarlydescribed above.

At 504, extracting network slice information for user traffic associatedwith the new session at the security platform is performed. For example,the security platform can parse HTTP/2 messages to extract the networkslice information, in which the network slice is identified by SingleNetwork Slice Selection Assistance Information (S-NSSAI), usingDPI-based firewall techniques as similarly described above.

At 506, determining a security policy to apply at the security platformto the new session based on the network slice information is performed.For example, the security policy can be determined and/or enforced basedon various combinations of Network Slice information, Data Network Name(DNN), Subscription Permanent Identifier (SUPI), Permanent EquipmentIdentifier (PEI), General Public Subscription Identifier (GPSI), andUser Location information, such as similarly described above (e.g.,and/or in combination with other DPI-based firewall techniques, such asApplication-ID, user ID, content ID, URL filtering, etc.).

At 508, enforcing the security policy on the new session using thesecurity platform is performed. For example, various enforcement actions(e.g., allow/pass, block/drop, alert, tag, monitor, log, throttle,restrict access, and/or other enforcement actions) can be performedusing the security platform as similarly described above.

FIG. 6 is another flow diagram of a process for performing enhancedsecurity for 5G networks for service providers in accordance with someembodiments. In some embodiments, a process 600 as shown in FIG. 6 isperformed by the security platform and techniques as similarly describedabove including the embodiments described above with respect to FIGS.1A-4. In one embodiment, process 600 is performed by data appliance 300as described above with respect to FIG. 3, network device 400 asdescribed above with respect to FIG. 4, a virtual appliance, an SDNsecurity solution, a cloud security service, and/or combinations orhybrid implementations of the aforementioned as described herein.

The process begins at 602. At 602, monitoring network traffic on aservice provider network at a security platform to identify a newsession, wherein the service provider network includes a 5G network or aconverged 5G network, is performed. For example, the security platform(e.g., a firewall, a network sensor acting on behalf of the firewall, oranother device/component that can implement security policies) canmonitor GTP-U and HTTP/2 traffic on the mobile core network as similarlydescribed above.

At 604, extracting subscription and/or equipment identifier informationfor user traffic associated with the new session at the securityplatform is performed. For example, the security platform can parseHTTP/2 messages to extract the subscription and/or equipment identifierinformation, in which the subscription and/or equipment identifierinformation is identified by a Subscription Permanent Identifier (SUPI),a General Public Subscription Identifier (GPSI), and/or a PermanentEquipment Identifier (PEI), using DPI-based firewall techniques assimilarly described above.

At 606, determining a security policy to apply at the security platformto the new session based on the subscription and/or equipment identifierinformation is performed. For example, the security policy can bedetermined and/or enforced based on various combinations of NetworkSlice information, Data Network Name (DNN), Subscription PermanentIdentifier (SUPI), Permanent Equipment Identifier (PEI), General PublicSubscription Identifier (GPSI), and User Location information, such assimilarly described above (e.g., and/or in combination with otherDPI-based firewall techniques, such as Application-ID, user ID, contentID, URL filtering, etc.).

At 608, enforcing the security policy on the new session using thesecurity platform is performed. For example, various enforcement actions(e.g., allow/pass, block/drop, alert, tag, monitor, log, throttle,restrict access, and/or other enforcement actions) can be performedusing the security platform as similarly described above.

FIG. 7 is another flow diagram of a process for performing enhancedsecurity for 5G networks for service providers in accordance with someembodiments. In some embodiments, a process 700 as shown in FIG. 7 isperformed by the security platform and techniques as similarly describedabove including the embodiments described above with respect to FIGS.1A-4. In one embodiment, process 700 is performed by data appliance 300as described above with respect to FIG. 3, network device 400 asdescribed above with respect to FIG. 4, a virtual appliance, an SDNsecurity solution, a cloud security service, and/or combinations orhybrid implementations of the aforementioned as described herein.

The process begins at 702. At 702, monitoring network traffic on aservice provider network at a security platform to identify a newsession, wherein the service provider network includes a 5G network or aconverged 5G network, is performed. For example, the security platform(e.g., a firewall, a network sensor acting on behalf of the firewall, oranother device/component that can implement security policies) canmonitor GTP-U and HTTP/2 traffic on the mobile core network as similarlydescribed above.

At 704, extracting network name information for user traffic associatedwith the new session at the security platform is performed. For example,the security platform can parse HTTP/2 messages to extract the networkname information, in which the network name information is identified bya Data Network Name (DNN), using DPI-based firewall techniques assimilarly described above.

At 706, determining a security policy to apply at the security platformto the new session based on the network name information is performed.For example, the security policy can be determined and/or enforced basedon various combinations of Network Slice information, Data Network Name(DNN), Subscription Permanent Identifier (SUPI), Permanent EquipmentIdentifier (PEI), General Public Subscription Identifier (GPSI), andUser Location information, such as similarly described above (e.g.,and/or in combination with other DPI-based firewall techniques, such asApplication-ID, user ID, content ID, URL filtering, etc.).

At 708, enforcing the security policy on the new session using thesecurity platform is performed. For example, various enforcement actions(e.g., allow/pass, block/drop, alert, tag, monitor, log, throttle,restrict access, and/or other enforcement actions) can be performedusing the security platform as similarly described above.

FIG. 8 is another flow diagram of a process for performing enhancedsecurity for 5G networks for service providers in accordance with someembodiments. In some embodiments, a process 800 as shown in FIG. 8 isperformed by the security platform and techniques as similarly describedabove including the embodiments described above with respect to FIGS.1A-4. In one embodiment, process 800 is performed by data appliance 300as described above with respect to FIG. 3, network device 400 asdescribed above with respect to FIG. 4, a virtual appliance, an SDNsecurity solution, a cloud security service, and/or combinations orhybrid implementations of the aforementioned as described herein.

The process begins at 802. At 802, monitoring network traffic on aservice provider network at a security platform to identify a newsession, wherein the service provider network includes a 5G network or aconverged 5G network, is performed. For example, the security platform(e.g., a firewall, a network sensor acting on behalf of the firewall, oranother device/component that can implement security policies) canmonitor GTP-U and HTTP/2 traffic on the mobile core network as similarlydescribed above.

At 804, extracting user location information for user traffic associatedwith the new session at the security platform is performed. For example,the security platform can parse HTTP/2 messages to extract the userlocation information, in which the user location information isidentified by a EutraLocation (e.g., Tracking Area Identity (TAI) andECGI (EUTRA Cell Identity)) and/or an NRLocation (e.g., Tracking AreaIdentity (TAI) and NR Cell Identity (NCGI)), using DPI-based firewalltechniques as similarly described above.

At 806, determining a security policy to apply at the security platformto the new session based on the user location information is performed.For example, the security policy can be determined and/or enforced basedon various combinations of Network Slice information, Data Network Name(DNN), Subscription Permanent Identifier (SUPI), Permanent EquipmentIdentifier (PEI), General Public Subscription Identifier (GPSI), andUser Location information, such as similarly described above (e.g.,and/or in combination with other DPI-based firewall techniques, such asApplication-ID, user ID, content ID, URL filtering, etc.).

At 808, enforcing the security policy on the new session using thesecurity platform is performed. For example, various enforcement actions(e.g., allow/pass, block/drop, alert, tag, monitor, log, throttle,restrict access, and/or other enforcement actions) can be performedusing the security platform as similarly described above.

As will now be apparent in view of the disclosed embodiments, a networkservice provider/mobile operator (e.g., a cellular service providerentity), a device manufacturer (e.g., an automobile entity, IoT deviceentity, and/or other device manufacturer), and/or system integrators canspecify such security policies that can be enforced by a securityplatform using the disclosed techniques to solve these and othertechnical network security challenges on mobile networks, including 5Gnetworks.

Additional example processes for the disclosed techniques for performingmulti-access distributed edge security for 5G mobile networks forservice providers will now be described.

Example Processes for Performing Multi-Access Distributed Edge Securityfor 5G Mobile Networks for Service Providers

FIG. 9 is a screen shot diagram of a snapshot of a Packet ForwardingControl Protocol (PFCP) Session Establishment Request packet capture(pcap) for performing multi-access distributed edge security for 5Gnetworks for service providers in accordance with some embodiments.Referring to FIG. 9, a pcap of a PFCP Session Establishment Request isshown at 902. As specified in 3GPP TS 29.244 V15.3 (e.g., see section7.5.2), the PFCP Session Establishment Request shall be sent over theSxa, Sxb, Sxc, and N4 interface by the Control Plane (CP) function toestablish a new PFCP session context in the User Plane (UP) function. Asspecified in 3GPP TS 29.244 V15.3 (e.g., see section 7.5.3), the PFCPSession Establishment Response shall be sent over the Sxa, Sxb, Sxc, andN4 interface by the UP function to the CP function as a reply to thePFCP Session Establishment Request. The information elements and formatof the Session Establishment Request and Session Establishment Responsemessages are specified in 3GPP TS 29.244 V15.3 (e.g., see section 7.5.2for details of ‘PFCP Session Establishment Request’ message detailsincluding information elements, and see section 7.5.3 for details of‘PFCP Session Establishment Response’ message details includinginformation elements).

FIG. 10 is a flow diagram of a process for performing multi-accessdistributed edge security for 5G networks for service providers inaccordance with some embodiments. In some embodiments, a process 1000 asshown in FIG. 10 is performed by the security platform and techniques assimilarly described above including the embodiments described above withrespect to FIGS. 1A-5 and 9. In one embodiment, process 1000 isperformed by data appliance 300 as described above with respect to FIG.3, network device 400 as described above with respect to FIG. 4, avirtual appliance, an SDN security solution, a cloud security service,and/or combinations or hybrid implementations of the aforementioned asdescribed herein.

The process begins at 1002. At 1002, monitoring network traffic on aservice provider network at a security platform to identify a newsession is performed, wherein the service provider network includes a 5Gnetwork or a converged 5G network. For example, the security platform(e.g., a firewall, a network sensor acting on behalf of the firewall, oranother device/component that can implement security policies) canmonitor GTP-U traffic on the mobile core network as similarly describedabove.

At 1004, extracting subscription and/or equipment identifier informationfor user traffic associated with the new session at the securityplatform is performed. For example, the security platform can parse thePacket Forwarding Control Protocol (PFCP) Session Establishment Requestand PFCP Session Establishment Response messages to extract thesubscription and/or equipment identifier information (e.g., thesubscription and/or equipment identifier information is identified by anInternational Mobile Subscription Identity (IMSI), International MobileEquipment Identifier (IMEI), and/or Mobile Subscriber ISDN (MSISDN)related information) using DPI-based firewall techniques as similarlydescribed above.

At 1006, determining a security policy to apply at the security platformto the new session based on the subscription and/or equipment identifierinformation is performed. For example, the security policy can bedetermined and/or enforced based on various combinations ofInternational Mobile Subscription Identity (IMSI), International MobileEquipment Identifier (IMEI), and/or Mobile Subscriber ISDN (MSISDN)related information, such as similarly described above (e.g., and/or incombination with other DPI-based firewall techniques, such asApplication-ID, user ID, content ID, URL filtering, Network AccessIdentifier (NAI), etc.).

At 1008, enforcing the security policy on the new session using thesecurity platform is performed. For example, various enforcement actions(e.g., allow/pass, block/drop, alert, tag, monitor, log, throttle,restrict access, and/or other enforcement actions) can be performedusing the security platform as similarly described above.

FIG. 11 is another flow diagram of a process for performing multi-accessdistributed edge security for 5G networks for service providers inaccordance with some embodiments. In some embodiments, a process 1100 asshown in FIG. 11 is performed by the security platform and techniques assimilarly described above including the embodiments described above withrespect to FIGS. 1A-5 and 9. In one embodiment, process 1100 isperformed by data appliance 300 as described above with respect to FIG.3, network device 400 as described above with respect to FIG. 4, avirtual appliance, an SDN security solution, a cloud security service,and/or combinations or hybrid implementations of the aforementioned asdescribed herein.

The process begins at 1102. At 1102, monitoring network traffic on aservice provider network at a security platform to identify a newsession is performed, wherein the service provider network includes a 5Gnetwork or a converged 5G network. For example, the security platform(e.g., a firewall, a network sensor acting on behalf of the firewall, oranother device/component that can implement security policies) canmonitor GTP-U traffic on the mobile core network as similarly describedabove.

At 1104, extracting network access identifier information for usertraffic associated with the new session at the security platform isperformed. For example, the security platform can parse the PacketForwarding Control Protocol (PFCP) Session Establishment Request andPFCP Session Establishment Response messages to extract Network AccessIdentifier (NAI) related information, wherein the NAI is associated witha user identity submitted by a client during a network accessauthentication, using DPI-based firewall techniques as similarlydescribed above.

At 1106, determining a security policy to apply at the security platformto the new session based on the network access identifier information isperformed. For example, the security policy can be determined and/orenforced based on various combinations of a Network Access Identifier(NAI) along with other information that can be extracted from such PFCPSession Establishment Request/Response messages including InternationalMobile Subscription Identity (IMSI), International Mobile EquipmentIdentifier (IMEI), and/or Mobile Subscriber ISDN (MSISDN) relatedinformation, such as similarly described above (e.g., and/or incombination with other DPI-based firewall techniques, such asApplication-ID, user ID, content ID, URL filtering, etc.).

At 1108, enforcing the security policy on the new session using thesecurity platform is performed. For example, various enforcement actions(e.g., allow/pass, block/drop, alert, tag, monitor, log, throttle,restrict access, and/or other enforcement actions) can be performedusing the security platform as similarly described above.

As will now be apparent in view of the disclosed embodiments, a networkservice provider/mobile operator (e.g., a cellular service providerentity), a device manufacturer (e.g., an automobile entity, IoT deviceentity, and/or other device manufacturer), and/or system integrators canspecify such security policies that can be enforced by a securityplatform using the disclosed techniques to solve these and othertechnical network security challenges for providing multi-accessdistributed edge security on mobile networks, including 5G networks.

Although the foregoing embodiments have been described in some detailfor purposes of clarity of understanding, the invention is not limitedto the details provided. There are many alternative ways of implementingthe invention. The disclosed embodiments are illustrative and notrestrictive.

What is claimed is:
 1. A system, comprising: a processor configured to:monitor network traffic on a service provider network at a securityplatform to identify a new session, wherein the security platformmonitors wireless interfaces including a plurality of interfaces for acontrol protocol and user data traffic in a mobile core network for a 5Gnetwork to provide multi-access distributed edge security for the 5Gnetwork, and wherein the service provider network includes the 5Gnetwork or a converged 5G network; extract subscription and/or equipmentidentifier information for user traffic associated with the new sessionat the security platform, wherein the subscription and/or equipmentidentifier information is identified by a Subscription PermanentIdentifier (SUFI), a General Public Subscription Identifier (GPSI),and/or a Permanent Equipment Identifier (PEI); determine a securitypolicy to apply at the security platform to the new session based on thesubscription and/or equipment identifier information; and block the newsession from accessing a resource based on the security policy; and amemory coupled to the processor and configured to provide the processorwith instructions.
 2. The system recited in claim 1, wherein thesubscription and/or equipment identifier information is identified by anInternational Mobile Subscription Identity (IMSI), International MobileEquipment Identifier (IMEI), and/or Mobile Subscriber ISDN (MSISDN)related information.
 3. The system recited in claim 1, wherein thesecurity platform parses Packet Forwarding Control Protocol (PFCP)Session Establishment Request and PFCP Session Establishment Responsemessages to extract the subscription and/or equipment identifierinformation, and wherein the subscription and/or equipment identifierinformation is identified by an International Mobile SubscriptionIdentity (IMSI), International Mobile Equipment Identifier (IMEI),and/or Mobile Subscriber ISDN (MSISDN) related information.
 4. Thesystem recited in claim 1, wherein the processor is further configuredto: extract network slice information for the user traffic associatedwith the new session at the security platform; and determine a securitypolicy to apply at the security platform to the new session based on thenetwork slice information.
 5. The system recited in claim 1, wherein themonitoring of the network traffic comprises to: identify data typeSmContextCreateData and/or data type PduSessionCreateData in the networktraffic.
 6. The system recited in claim 1, wherein the extracting of thesubscription and/or equipment identifier information comprises to:extract the subscription and/or equipment identifier information fromthe data type SmContextCreateData and/or data type PduSessionCreateData.7. A method, comprising: monitoring network traffic on a serviceprovider network at a security platform to identify a new session,wherein the security platform monitors wireless interfaces including aplurality of interfaces for a control protocol and user data traffic ina mobile core network for a 5G network to provide multi-accessdistributed edge security for the 5G network, and wherein the serviceprovider network includes the 5G network or a converged 5G network;extracting subscription and/or equipment identifier information for usertraffic associated with the new session at the security platform,wherein the subscription and/or equipment identifier information isidentified by a Subscription Permanent Identifier (SUPI), a GeneralPublic Subscription Identifier (GPSI), and/or a Permanent EquipmentIdentifier (PEI); determining a security policy to apply at the securityplatform to the new session based on the subscription and/or equipmentidentifier information; and blocking the new session from accessing aresource based on the security policy.
 8. The method of claim 7, whereinthe subscription and/or equipment identifier information is identifiedby an International Mobile Subscription Identity (IMSI), InternationalMobile Equipment Identifier (IMEI), and/or Mobile Subscriber ISDN(MSISDN) related information.
 9. The method of claim 7, wherein thesecurity platform parses Packet Forwarding Control Protocol (PFCP)Session Establishment Request and PFCP Session Establishment Responsemessages to extract the subscription and/or equipment identifierinformation, and wherein the subscription and/or equipment identifierinformation is identified by an International Mobile SubscriptionIdentity (IMSI), International Mobile Equipment Identifier (IMEI),and/or Mobile Subscriber ISDN (MSISDN) related information.
 10. Themethod of claim 7, wherein the monitoring of the network trafficcomprises to: identifying data type SmContextCreateData and/or data typePduSessionCreateData in the network traffic.
 11. The method of claim 7,wherein the extracting of the subscription and/or equipment identifierinformation comprises to: extracting the subscription and/or equipmentidentifier information from the data type SmContextCreateData and/ordata type PduSessionCreateData.
 12. A computer program product, thecomputer program product being embodied in a tangible computer readablestorage medium and comprising computer instructions for: monitoringnetwork traffic on a service provider network at a security platform toidentify a new session, wherein the security platform monitors wirelessinterfaces including a plurality of interfaces for a control protocoland user data traffic in a mobile core network for a 5G network toprovide multi-access distributed edge security for the 5G network, andwherein the service provider network includes the 5G network or aconverged 5G network; extracting subscription and/or equipmentidentifier information for user traffic associated with the new sessionat the security platform, wherein the subscription and/or equipmentidentifier information is identified by a Subscription PermanentIdentifier (SUPI), a General Public Subscription Identifier (GPSI),and/or a Permanent Equipment Identifier (PEI); determining a securitypolicy to apply at the security platform to the new session based on thesubscription and/or equipment identifier information; and blocking thenew session from accessing a resource based on the security policy. 13.The computer program product recited in claim 12, wherein thesubscription and/or equipment identifier information is identified by anInternational Mobile Subscription Identity (IMSI), International MobileEquipment Identifier (IMEI), and/or Mobile Subscriber ISDN (MSISDN)related information.
 14. The computer program product recited in claim12, wherein the security platform parses Packet Forwarding ControlProtocol (PFCP) Session Establishment Request and PFCP SessionEstablishment Response messages to extract the subscription and/orequipment identifier information, and wherein the subscription and/orequipment identifier information is identified by an InternationalMobile Subscription Identity (IMSI), International Mobile EquipmentIdentifier (IMEI), and/or Mobile Subscriber ISDN (MSISDN) relatedinformation.
 15. The computer program product recited in claim 12,wherein the monitoring of the network traffic comprises to: identifyingdata type SmContextCreateData and/or data type PduSessionCreateData inthe network traffic.
 16. The computer program product recited in claim12, wherein the extracting of the subscription and/or equipmentidentifier information comprises to: extracting the subscription and/orequipment identifier information from the data type SmContextCreateDataand/or data type PduSessionCreateData.
 17. A system, comprising: aprocessor configured to: monitor network traffic on a service providernetwork at a security platform to identify a new session, wherein thesecurity platform monitors wireless interfaces including a plurality ofinterfaces for a control protocol and user data traffic in a mobile corenetwork for a 5G network to provide multi-access distributed edgesecurity for the 5G network, and wherein the service provider networkincludes the 5G network or a converged 5G network; extract networkaccess identifier information for user traffic associated with the newsession at the security platform, wherein the network access identifierinformation is identified by a Network Access Identifier (NAI) relatedinformation, wherein the NAI is associated with a user identitysubmitted by a client during a network access authentication; determinea security policy to apply at the security platform to the new sessionbased on the network access identifier information; and block the newsession from accessing a resource based on the security policy; and amemory coupled to the processor and configured to provide the processorwith instructions.
 18. The system recited in claim 17, wherein thenetwork access identifier information is identified by a Network AccessIdentifier (NAI) related information, wherein the NAI is associated witha user identity submitted by a client during a network accessauthentication.
 19. A method, comprising: monitoring network traffic ona service provider network at a security platform to identify a newsession, wherein the security platform monitors wireless interfacesincluding a plurality of interfaces for a control protocol and user datatraffic in a mobile core network for a 5G network to providemulti-access distributed edge security for the 5G network, and whereinthe service provider network includes the 5G network or a converged 5Gnetwork; extracting network access identifier information for usertraffic associated with the new session at the security platform,wherein the network access identifier information is identified by aNetwork Access Identifier (NAI) related information, wherein the NAI isassociated with a user identity submitted by a client during a networkaccess authentication; determining a security policy to apply at thesecurity platform to the new session based on the network accessidentifier information; and blocking the new session from accessing aresource based on the security policy.
 20. A computer program product,the computer program product being embodied in a tangible computerreadable storage medium and comprising computer instructions for:monitoring network traffic on a service provider network at a securityplatform to identify a new session, wherein the security platformmonitors wireless interfaces including a plurality of interfaces for acontrol protocol and user data traffic in a mobile core network for a 5Gnetwork to provide multi-access distributed edge security for the 5Gnetwork, and wherein the service provider network includes the 5Gnetwork or a converged 5G network; extracting network access identifierinformation for user traffic associated with the new session at thesecurity platform, wherein the network access identifier information isidentified by a Network Access Identifier (NAI) related information,wherein the NAI is associated with a user identity submitted by a clientduring a network access authentication; determining a security policy toapply at the security platform to the new session based on the networkaccess identifier information; and blocking the new session fromaccessing a resource based on the security policy.